Jump to content

Metallica

Staff
  • Content Count

    2,369
  • Joined

  • Last visited

4 Followers

About Metallica

  • Rank
    Master of PUPs
  • Birthday 05/19/1963

Profile Information

  • Location
    Netherlands

Recent Profile Visitors

165,730 profile views
  1. What is GetPoliticalNews?The Malwarebytes research team has determined that GetPoliticalNews is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.GetPoliticalNews is a member of the Mindspark/Ask family now known as IAC Applications.How do I know if my computer is affected by GetPoliticalNews?You may see these browser extensions/add-ons:these warnings during install:You may see this entry in your list of installed software:and this new homepage in the affected browsers:How did GetPoliticalNews get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website.How do I remove GetPoliticalNews?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of GetPoliticalNews? No, Malwarebytes' Anti-Malware removes GetPoliticalNews completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the GetPoliticalNews hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for expertsPossible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/getpoliticalnews/ttab02/index.html?n=C08D816&p2=%5ECXR%5Emni000%5ETTAB02&ptb=3F408F5E-5459-4D52-84E6-B5193B5FDAE8&coid=cd10cc051786489b82d12838f475950e FF HomepageOverride: Mozilla\Firefox\Profiles\vkq9erdv.default-1519559592148-1560329836028 -> Enabled: _qpMembers_@free.getpoliticalnews.com FF NewTabOverride: Mozilla\Firefox\Profiles\vkq9erdv.default-1519559592148-1560329836028 -> Enabled: _qpMembers_@free.getpoliticalnews.com FF Extension: (GetPoliticalNews) - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\vkq9erdv.default-1519559592148-1560329836028\Extensions\_qpMembers_@free.getpoliticalnews.com.xpi [2019-06-19] [UpdateUrl:hxxps:\/\/updates.tb.ask.com\/updateXpi.json?id=238865599&version=8.905.15.39798&track=TTAB02&trackRevision=1&fromId=_qpMembers_%40free.getpoliticalnews.com&isBridgeExtension=false] CHR NewTab: Default -> Active:"chrome-extension://leekaeilhmonbgjlggdmpdgepmngaldb/ntp.html" CHR Extension: (GetPoliticalNews) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb [2019-06-19] C:\Users\{username}\AppData\Local\GetPoliticalNewsTooltab (Mindspark Interactive Network, Inc.) C:\Users\{username}\Desktop\getpoliticalnews.exe GetPoliticalNews Internet Explorer Homepage and New Tab (HKCU\...\GetPoliticalNewsTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\GetPoliticalNewsTooltab Adds the file TooltabExtension.dll"="3/5/2019 10:28 PM, 266864 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0 Adds the file manifest.json"="6/19/2019 9:03 AM, 2659 bytes, A Adds the file ntp.html"="6/9/2019 12:31 PM, 1423 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\_locales Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\_metadata Adds the file computed_hashes.json"="6/19/2019 9:03 AM, 5503 bytes, A Adds the file verified_contents.json"="6/9/2019 12:31 PM, 7025 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\config Adds the file config.json"="6/9/2019 12:31 PM, 1511 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\icons Adds the file icon128.png"="6/19/2019 9:03 AM, 6176 bytes, A Adds the file icon16.png"="6/9/2019 12:31 PM, 1550 bytes, A Adds the file icon19disabled.png"="6/9/2019 12:31 PM, 1599 bytes, A Adds the file icon19on.png"="6/19/2019 9:03 AM, 788 bytes, A Adds the file icon48.png"="6/19/2019 9:03 AM, 2349 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\js Adds the file ajax.js"="6/9/2019 12:31 PM, 3263 bytes, A Adds the file babAPI.js"="6/9/2019 12:31 PM, 5703 bytes, A Adds the file babClickHandler.js"="6/9/2019 12:31 PM, 11430 bytes, A Adds the file babContentScript.js"="6/9/2019 12:31 PM, 3749 bytes, A Adds the file babContentScriptAPI.js"="6/9/2019 12:31 PM, 9842 bytes, A Adds the file background.js"="6/9/2019 12:31 PM, 18011 bytes, A Adds the file browserUtils.js"="6/9/2019 12:31 PM, 1536 bytes, A Adds the file chrome.js"="6/9/2019 12:31 PM, 146 bytes, A Adds the file contentScriptConnectionManager.js"="6/9/2019 12:31 PM, 22629 bytes, A Adds the file dateTimeUtils.js"="6/9/2019 12:31 PM, 1213 bytes, A Adds the file dlp.js"="6/9/2019 12:31 PM, 5783 bytes, A Adds the file dlpHelper.js"="6/9/2019 12:31 PM, 1835 bytes, A Adds the file extensionDetect.js"="6/9/2019 12:31 PM, 4354 bytes, A Adds the file index.js"="6/9/2019 12:31 PM, 49 bytes, A Adds the file localStorageContentScript.js"="6/9/2019 12:31 PM, 2236 bytes, A Adds the file logger.js"="6/9/2019 12:31 PM, 531 bytes, A Adds the file meta.js"="6/9/2019 12:31 PM, 1631 bytes, A Adds the file offerService.js"="6/9/2019 12:31 PM, 16953 bytes, A Adds the file pageUtils.js"="6/9/2019 12:31 PM, 3154 bytes, A Adds the file PartnerId.js"="6/9/2019 12:31 PM, 16402 bytes, A Adds the file polyfill.js"="6/9/2019 12:31 PM, 875 bytes, A Adds the file product.js"="6/9/2019 12:31 PM, 7837 bytes, A Adds the file remoteConfigLoader.js"="6/9/2019 12:31 PM, 5053 bytes, A Adds the file splashPageRedirectHandler.js"="6/9/2019 12:31 PM, 2821 bytes, A Adds the file storageUtils.js"="6/9/2019 12:31 PM, 1718 bytes, A Adds the file TemplateParser.js"="6/9/2019 12:31 PM, 3153 bytes, A Adds the file ul.js"="6/9/2019 12:31 PM, 3969 bytes, A Adds the file urlFragmentActions.js"="6/9/2019 12:31 PM, 2450 bytes, A Adds the file urlUtils.js"="6/9/2019 12:31 PM, 5906 bytes, A Adds the file util.js"="6/9/2019 12:31 PM, 2779 bytes, A Adds the file webtooltabAPI.js"="6/9/2019 12:31 PM, 9768 bytes, A Adds the file webTooltabAPIProxy.js"="6/9/2019 12:31 PM, 8765 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\leekaeilhmonbgjlggdmpdgepmngaldb Adds the file 000003.log"="6/19/2019 9:03 AM, 5585 bytes, A Adds the file CURRENT"="6/19/2019 9:03 AM, 16 bytes, A Adds the file LOCK"="6/19/2019 9:03 AM, 0 bytes, A Adds the file LOG"="6/19/2019 9:03 AM, 184 bytes, A Adds the file MANIFEST-000001"="6/19/2019 9:03 AM, 41 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\vkq9erdv.default-1519559592148-1560329836028\extensions Adds the file _qpMembers_@free.getpoliticalnews.com.xpi"="6/19/2019 8:58 AM, 82563 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\GetPoliticalNews] "Start Page"="REG_SZ", "http://hp.myway.com/getpoliticalnews/ttab02/index.html?n=C08D816&p2=^CXR^mni000^TTAB02&ptb=3F408F5E-5459-4D52-84E6-B5193B5FDAE8&coid=cd10cc051786489b82d12838f475950e" "UnInstallSurveyUrl"="REG_SZ", "https://@{downloadDomain}.dl.myway.com/uninstall.jhtml?c=3F408F5E-5459-4D52-84E6-B5193B5FDAE8&ptb=^CXR^mni000^TTAB02" [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "leekaeilhmonbgjlggdmpdgepmngaldb"="REG_SZ", "CEC015520085857720ED531A16740AD54623EFB25AFA925B8222D059518ACDBB" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://hp.myway.com/getpoliticalnews/ttab02/index.html?n=C08D816&p2=^CXR^mni000^TTAB02&ptb=3F408F5E-5459-4D52-84E6-B5193B5FDAE8&coid=cd10cc051786489b82d12838f475950e" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\GetPoliticalNewsTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "GetPoliticalNews Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\GetPoliticalNewsTooltab\TooltabExtension.dll" U uninstall:GetPoliticalNews" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/19/19 Scan Time: 9:14 AM Log File: ef8caacc-9261-11e9-a1e9-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.586 Update Package Version: 1.0.11128 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236306 Threats Detected: 86 Threats Quarantined: 86 Time Elapsed: 6 min, 53 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GetPoliticalNewsTooltab\TooltabExtension.dll, Quarantined, [1755], [356944],1.0.11128 Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\GetPoliticalNewsTooltab Uninstall Internet Explorer, Quarantined, [1755], [356944],1.0.11128 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\GetPoliticalNews, Quarantined, [1755], [444113],1.0.11128 Registry Value: 3 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\GetPoliticalNews|START PAGE, Quarantined, [1755], [444113],1.0.11128 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\GetPoliticalNewsTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, [633], [352442],1.0.11128 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|leekaeilhmonbgjlggdmpdgepmngaldb, Quarantined, [1755], [443121],1.0.11128 Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [633], [293497],1.0.11128 Data Stream: 0 (No malicious items detected) Folder: 18 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GetPoliticalNewsTooltab, Quarantined, [1755], [356944],1.0.11128 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\leekaeilhmonbgjlggdmpdgepmngaldb, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\_locales\es_419, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\_locales\pt_BR, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\_locales\pt_PT, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\_locales\de, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\_locales\en, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\_locales\es, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\_locales\fr, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\_locales\it, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\_locales\ja, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\_metadata, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\_locales, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\config, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\icons, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\js, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\LEEKAEILHMONBGJLGGDMPDGEPMNGALDB, Quarantined, [1755], [443121],1.0.11128 File: 61 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GetPoliticalNewsTooltab\TooltabExtension.dll, Quarantined, [1755], [356944],1.0.11128 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\VKQ9ERDV.DEFAULT-1519559592148-1560329836028\EXTENSIONS\_qpMembers_@free.getpoliticalnews.com.xpi, Quarantined, [1755], [457930],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\leekaeilhmonbgjlggdmpdgepmngaldb\000003.log, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\leekaeilhmonbgjlggdmpdgepmngaldb\CURRENT, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\leekaeilhmonbgjlggdmpdgepmngaldb\LOCK, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\leekaeilhmonbgjlggdmpdgepmngaldb\LOG, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\leekaeilhmonbgjlggdmpdgepmngaldb\MANIFEST-000001, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\LEEKAEILHMONBGJLGGDMPDGEPMNGALDB\13.882.15.39800_0\MANIFEST.JSON, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\config\config.json, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\icons\icon128.png, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\icons\icon16.png, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\icons\icon19disabled.png, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\icons\icon19on.png, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\icons\icon48.png, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\js\localStorageContentScript.js, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\js\ajax.js, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\js\babAPI.js, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\js\babClickHandler.js, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\js\babContentScript.js, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\js\babContentScriptAPI.js, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\js\background.js, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\js\browserUtils.js, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\js\chrome.js, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\js\contentScriptConnectionManager.js, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\js\dateTimeUtils.js, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\js\dlp.js, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\js\dlpHelper.js, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\js\extensionDetect.js, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\js\index.js, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\js\logger.js, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\js\meta.js, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\js\offerService.js, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\js\pageUtils.js, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\js\PartnerId.js, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\js\polyfill.js, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\js\product.js, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\js\remoteConfigLoader.js, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\js\splashPageRedirectHandler.js, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\js\storageUtils.js, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\js\TemplateParser.js, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\js\ul.js, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\js\urlFragmentActions.js, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\js\urlUtils.js, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\js\util.js, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\js\webtooltabAPI.js, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\js\webTooltabAPIProxy.js, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\_locales\de\messages.json, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\_locales\en\messages.json, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\_locales\es\messages.json, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\_locales\es_419\messages.json, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\_locales\fr\messages.json, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\_locales\it\messages.json, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\_locales\ja\messages.json, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\_locales\pt_BR\messages.json, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\_locales\pt_PT\messages.json, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\_metadata\computed_hashes.json, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\_metadata\verified_contents.json, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\leekaeilhmonbgjlggdmpdgepmngaldb\13.882.15.39800_0\ntp.html, Quarantined, [1755], [443121],1.0.11128 PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\GETPOLITICALNEWS.EXE, Quarantined, [633], [365288],1.0.11128 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  2. What is Auto PC Speedup?The Malwarebytes research team has determined that Auto PC Speedup is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with Auto PC Speedup?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see this warning during install:and these screens during "operations":You may see this entry in your list of installed programs:and this task in your list of Scheduled Tasks:How did Auto PC Speedup get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove Auto PC Speedup?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Auto PC Speedup? No, Malwarebytes removes Auto PC Speedup completely. This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the Auto PC Speedup installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: (PC Fixers Tools -> ) C:\Program Files\Auto PC ~Speedup for {computername}\iytr.exe Task: {05EF5F8C-E03B-483C-A2D3-3529F257F65B} - System32\Tasks\Auto PC ~Speedup_Logon => C:\Program Files\Auto PC ~Speedup for {computername}\iytr.exe [2385056 2019-01-04] (PC Fixers Tools -> ) C:\Users\{username}\AppData\Roaming\Auto PC ~Speedup For {computername} C:\ProgramData\Auto PC ~Speedup for {computername} C:\Windows\System32\Tasks\Auto PC ~Speedup_Logon C:\Users\Public\Desktop\Auto PC ~Speedup.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auto PC ~Speedup for {computername} C:\Program Files\Auto PC ~Speedup for {computername} ( ) C:\Users\{username}\Desktop\aupssetup.exe Auto PC ~Speedup (HKLM\...\{5DBD7ED2-84C2-402B-BE69-8FE11976567E}_is1) (Version: 3.0.1.2 - ) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\Auto PC ~Speedup for {computername} Adds the file application.ico"="10/24/2018 12:48 PM, 56150 bytes, A Adds the file Dutch_iss.ini"="5/16/2018 11:25 AM, 2600 bytes, A Adds the file gmtrs.dll"="1/4/2019 3:09 PM, 1966240 bytes, A Adds the file HtmlRenderer.dll"="1/4/2019 3:09 PM, 236704 bytes, A Adds the file HtmlRenderer.WinForms.dll"="1/4/2019 3:09 PM, 75424 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="1/4/2019 3:09 PM, 64160 bytes, A Adds the file Interop.SHDocVw.dll"="1/4/2019 3:09 PM, 178848 bytes, A Adds the file iytr.exe"="1/4/2019 3:09 PM, 2385056 bytes, A Adds the file iytr.exe.config"="1/4/2019 3:07 PM, 6322 bytes, A Adds the file langs.db"="11/10/2018 3:17 PM, 477184 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="1/4/2019 3:09 PM, 186016 bytes, A Adds the file NAudio.dll"="1/4/2019 3:09 PM, 486048 bytes, A Adds the file Newtonsoft.Json.dll"="1/4/2019 3:09 PM, 475808 bytes, A Adds the file PaddleCheckoutSDK.dll"="1/4/2019 3:09 PM, 73888 bytes, A Adds the file System.Data.SQLite.DLL"="1/4/2019 3:09 PM, 305824 bytes, A Adds the file TAFactory.IconPack.dll"="1/4/2019 3:09 PM, 51872 bytes, A Adds the file unins000.dat"="6/17/2019 2:24 PM, 85271 bytes, A Adds the file unins000.exe"="6/17/2019 2:23 PM, 1243808 bytes, A Adds the file unins000.msg"="6/17/2019 2:24 PM, 22701 bytes, A Adds the folder C:\Program Files\Auto PC ~Speedup for {computername}\x64 Adds the file SQLite.Interop.dll"="1/4/2019 3:09 PM, 1190560 bytes, A Adds the folder C:\Program Files\Auto PC ~Speedup for {computername}\x86 Adds the file SQLite.Interop.dll"="1/4/2019 3:09 PM, 869536 bytes, A Adds the folder C:\ProgramData\Auto PC ~Speedup for {computername} Adds the file mdb.db"="10/26/2018 10:37 AM, 6643712 bytes, A Adds the file pcspstartrepair_en.mp3"="5/16/2018 11:25 AM, 130973 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auto PC ~Speedup for {computername} Adds the file Auto PC ~Speedup.lnk"="6/17/2019 2:24 PM, 981 bytes, A Adds the file Buy Auto PC ~Speedup.lnk"="6/17/2019 2:24 PM, 993 bytes, A Adds the file Uninstall Auto PC ~Speedup.lnk"="6/17/2019 2:24 PM, 1005 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Auto PC ~Speedup For {computername} Adds the file a_p_t_2.xml"="6/17/2019 2:28 PM, 1206 bytes, A Adds the file Errorlog.txt"="6/17/2019 2:28 PM, 22294 bytes, A Adds the file exlist.bin"="6/17/2019 2:24 PM, 258017 bytes, A Adds the file notifier.xml"="6/17/2019 2:24 PM, 14350 bytes, A Adds the file res.xml"="6/17/2019 2:26 PM, 14015 bytes, A Adds the file update.xml"="6/17/2019 2:24 PM, 39224 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Auto PC ~Speedup For {computername}\smico In the existing folder C:\Users\Public\Desktop Adds the file Auto PC ~Speedup.lnk"="6/17/2019 2:24 PM, 963 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Auto PC ~Speedup_Logon"="6/17/2019 2:24 PM, 3076 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Auto PC ~Speedup For {computername}] "affired"="REG_DWORD", 1 "afterInstallUrl"="REG_SZ", "http://ins1.alfactiv.com/install/aups/?" "apst"="REG_DWORD", 0 "buybowinapp"="REG_SZ", "http://store.onepctool.club/aups/plan?" "cbkpoff"="REG_DWORD", 1 "country"="REG_SZ", "us" "cta"="REG_DWORD", 0 "delaytime"="REG_DWORD", 0 "dlllist"="REG_SZ", "PSMACHINE_64.DLL,MSSPELLCHECKINGFACILITY.DLL" "EmailURL"="REG_SZ", "" "expired"="REG_DWORD", 0 "hdata"="REG_BINARY, ................................................................................... "Installstring"="REG_SZ", "C:\Program Files\Auto PC ~Speedup for {computername}" "ipaddrurl"="REG_SZ", "http://www.alfactiv.com/getip/" "isavst"="REG_DWORD", 0 "isiunidu"="REG_DWORD", 0 "isprmjsn"="REG_DWORD", 0 "isshowng"="REG_DWORD", 1 "issilent"="REG_DWORD", 0 "ISTELNO"="REG_DWORD", 1 "LangCode"="REG_SZ", "en" "lstregscancount"="REG_DWORD", 35 "lstscandate"="REG_SZ", "6/17/2019 2:26:27 PM" "lstscanstat"="REG_DWORD", 2 "lstsecscancount"="REG_DWORD", 0 "lsttotalscancount"="REG_DWORD", 35 "ovoffdis"="REG_DWORD", 0 "paramurl"="REG_SZ", "http://trkr.alfactiv.com/ipfiles/" "pdtm"="REG_DWORD", 30 "playsound"="REG_DWORD", 1 "plurl"="REG_SZ", "http://pp.alfactiv.com/ProductPrice.svc/" "prereg"="REG_DWORD", 0 "PurchaseURL"="REG_SZ", "http://store.onepctool.club/aups/price?" "reg"="REG_DWORD", 0 "RenewURL"="REG_SZ", "http://store.onepctool.club/aups/renewal?" "runcam"="REG_DWORD", 1 "runpixel"="REG_DWORD", 1 "runsrc"="REG_DWORD", 1 "showtn"="REG_DWORD", 0 "showunins"="REG_DWORD", 0 "showwfo"="REG_DWORD", 0 "stdismax"="REG_DWORD", -1 "supporturl"="REG_SZ", "http://www.onepctool.club/help/" "TELNO"="REG_SZ", "833-423-6820" "TELNO_ar"="REG_SZ", "+54 11 5236 0324" "TELNO_at"="REG_SZ", "+43 (0)720 902 309" "TELNO_au"="REG_SZ", "(61)280-733403" "TELNO_be"="REG_SZ", "+32-28085306" "TELNO_br"="REG_SZ", "+55 21 2391 4319" "TELNO_ch"="REG_SZ", "+41 (0)44 508 70 37" "TELNO_de"="REG_SZ", "0800 1822 974" "TELNO_dk"="REG_SZ", "+45 78 73 09 26" "TELNO_es"="REG_SZ", "+34 951 203 537" "TELNO_fi"="REG_SZ", "+358 (0)9 4270 4911" "TELNO_fr"="REG_SZ", "05 82 84 04 06" "TELNO_gb"="REG_SZ", "0800-031-5066" "TELNO_it"="REG_SZ", "+39 069 4802886" "TELNO_ja"="REG_SZ", "" "TELNO_lu"="REG_SZ", "0800 1822 974" "TELNO_nl"="REG_SZ", "+31-08-58882839" "TELNO_no"="REG_SZ", "+47 21 95 01 97" "TELNO_pt"="REG_SZ", "+351 70 750 2094" "TELNO_se"="REG_SZ", "+46-08124-10298" "TELNO_uk"="REG_SZ", "0800-031-5066" "TELNO_us"="REG_SZ", "833-423-6820" "WebURL"="REG_SZ", "http://www.onepctool.club/" "wfoset"="REG_DWORD", 1 "x-ccode"="REG_SZ", "us" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "77_234_46_254" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5DBD7ED2-84C2-402B-BE69-8FE11976567E}_is1] "DisplayIcon"="REG_SZ", "C:\Program Files\Auto PC ~Speedup for {computername}\iytr.exe" "DisplayName"="REG_SZ", "Auto PC ~Speedup" "DisplayVersion"="REG_SZ", "3.0.1.2" "EstimatedSize"="REG_DWORD", 18654 "Inno Setup: App Path"="REG_SZ", "C:\Program Files\Auto PC ~Speedup for {computername}" "Inno Setup: Icon Group"="REG_SZ", "Auto PC ~Speedup for {computername}" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.8 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20190617" "InstallLocation"="REG_SZ", "C:\Program Files\Auto PC ~Speedup for {computername}\" "MajorVersion"="REG_DWORD", 3 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "QuietUninstallString"="REG_SZ", ""C:\Program Files\Auto PC ~Speedup for {computername}\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files\Auto PC ~Speedup for {computername}\unins000.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\QXV0byBQQyB+U3BlZWR1cA==\ACT] "data"="REG_BINARY, .................................................................................................... [HKEY_LOCAL_MACHINE\SOFTWARE\scd-pr] "affiliateid"="REG_SZ", "" "btnid"="REG_SZ", "" "country"="REG_SZ", "us" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "pxl"="REG_SZ", "" "referUrl"="REG_SZ", "" "TELNO"="REG_SZ", "" "utm_campaign"="REG_SZ", "" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "" "utm_source"="REG_SZ", "" "x-at"="REG_SZ", "" "x-context"="REG_SZ", "" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_CURRENT_USER\Software\Auto PC ~Speedup For {computername}] "affiliateid"="REG_SZ", "" "InstallString"="REG_SZ", "C:\Program Files\Auto PC ~Speedup for {computername}" "LangCode"="REG_SZ", "en" "TELNO"="REG_SZ", "833-423-6820" "TELNO_us"="REG_SZ", "833-423-6820" "utm_medium"="REG_SZ", "" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "77_234_46_254" [HKEY_CURRENT_USER\Software\Auto PC ~Speedup For {computername}\3.0.1.2] "Installstring"="REG_SZ", "C:\Program Files\Auto PC ~Speedup for {computername}" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/17/19 Scan Time: 2:37 PM Log File: 9f53ef68-90fc-11e9-b342-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.586 Update Package Version: 1.0.11096 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236434 Threats Detected: 83 Threats Quarantined: 83 Time Elapsed: 13 min, 7 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\iytr.exe, Quarantined, [463], [603766],1.0.11096 Module: 7 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\x64\SQLite.Interop.dll, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\iytr.exe, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\PaddleCheckoutSDK.dll, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\System.Data.SQLite.DLL, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\TAFactory.IconPack.dll, Quarantined, [463], [603766],1.0.11096 Registry Key: 10 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Auto PC ~Speedup_Logon, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{05EF5F8C-E03B-483C-A2D3-3529F257F65B}, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{05EF5F8C-E03B-483C-A2D3-3529F257F65B}, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{5DBD7ED2-84C2-402B-BE69-8FE11976567E}_is1, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, HKCU\SOFTWARE\Auto PC ~Speedup For {computername}, Quarantined, [463], [548199],1.0.11096 PUP.Optional.PCVARK, HKLM\SOFTWARE\SCD-PR, Quarantined, [463], [540842],1.0.11096 PUP.Optional.PCVARK, HKLM\SOFTWARE\Auto PC ~Speedup For {computername}, Quarantined, [463], [548198],1.0.11096 PUP.Optional.Jawego, HKLM\SOFTWARE\QXV0byBQQyB+U3BlZWR1cA==, Quarantined, [613], [534889],1.0.11096 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\TRACING\iytr_RASAPI32, Quarantined, [463], [603760],1.0.11096 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\TRACING\iytr_RASMANCS, Quarantined, [463], [603760],1.0.11096 Registry Value: 6 PUP.Optional.PCVARK, HKCU\SOFTWARE\Auto PC ~Speedup For {computername}|TELNO, Quarantined, [463], [548199],1.0.11096 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{05EF5F8C-E03B-483C-A2D3-3529F257F65B}|PATH, Quarantined, [463], [603762],1.0.11096 PUP.Optional.PCVARK, HKLM\SOFTWARE\SCD-PR|AFFILIATEID, Quarantined, [463], [540842],1.0.11096 PUP.Optional.MasterPCCleaner, HKLM\SOFTWARE\SCD-PR|PXL, Quarantined, [1220], [484510],1.0.11096 PUP.Optional.PCVARK, HKCU\SOFTWARE\Auto PC ~Speedup For {computername}|TELNO_US, Quarantined, [463], [603767],1.0.11096 PUP.Optional.PCVARK, HKLM\SOFTWARE\Auto PC ~Speedup For {computername}|AFFIRED, Quarantined, [463], [548198],1.0.11096 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 8 PUP.Optional.PCVARK, C:\ProgramData\Auto PC ~Speedup for {computername}\offers, Quarantined, [463], [603764],1.0.11096 PUP.Optional.PCVARK, C:\PROGRAMDATA\Auto PC ~Speedup for {computername}, Quarantined, [463], [603764],1.0.11096 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Auto PC ~Speedup For {computername}\smico, Quarantined, [463], [603759],1.0.11096 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\Auto PC ~Speedup For {computername}, Quarantined, [463], [603759],1.0.11096 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\Auto PC ~Speedup for {computername}, Quarantined, [463], [603765],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\x64, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\x86, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\PROGRAM FILES\Auto PC ~Speedup for {computername}, Quarantined, [463], [603766],1.0.11096 File: 51 PUP.Optional.PCVARK, C:\PROGRAMDATA\Auto PC ~Speedup for {computername}\mdb.db, Quarantined, [463], [603764],1.0.11096 PUP.Optional.PCVARK, C:\ProgramData\Auto PC ~Speedup for {computername}\offers\a_p_t.exe, Quarantined, [463], [603764],1.0.11096 PUP.Optional.PCVARK, C:\ProgramData\Auto PC ~Speedup for {computername}\pcspstartrepair_en.mp3, Quarantined, [463], [603764],1.0.11096 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\Auto PC ~Speedup For {computername}\Errorlog.txt, Quarantined, [463], [603759],1.0.11096 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Auto PC ~Speedup For {computername}\a_p_t_2.xml, Quarantined, [463], [603759],1.0.11096 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Auto PC ~Speedup For {computername}\exlist.bin, Quarantined, [463], [603759],1.0.11096 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Auto PC ~Speedup For {computername}\notifier.xml, Quarantined, [463], [603759],1.0.11096 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Auto PC ~Speedup For {computername}\res.xml, Quarantined, [463], [603759],1.0.11096 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Auto PC ~Speedup For {computername}\update.xml, Quarantined, [463], [603759],1.0.11096 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\Auto PC ~Speedup for {computername}\Buy Auto PC ~Speedup.lnk, Quarantined, [463], [603765],1.0.11096 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auto PC ~Speedup for {computername}\Auto PC ~Speedup.lnk, Quarantined, [463], [603765],1.0.11096 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auto PC ~Speedup for {computername}\Uninstall Auto PC ~Speedup.lnk, Quarantined, [463], [603765],1.0.11096 PUP.Optional.PCVARK, C:\PROGRAM FILES\Auto PC ~Speedup for {computername}\unins000.dat, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\x64\SQLite.Interop.dll, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\x86\SQLite.Interop.dll, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\iytr.exe.config, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\application.ico, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\danish_iss.ini, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\Dutch_iss.ini, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\english_iss.ini, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\finish_iss.ini, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\French_iss.ini, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\german_iss.ini, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\gmtrs.dll, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\HtmlRenderer.dll, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\HtmlRenderer.WinForms.dll, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\Interop.SHDocVw.dll, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\italian_iss.ini, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\iytr.exe, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\japanese_iss.ini, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\langs.db, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\NAudio.dll, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\Newtonsoft.Json.dll, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\norwegian_iss.ini, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\PaddleCheckoutSDK.dll, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\portuguese_iss.ini, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\russian_iss.ini, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\spanish_iss.ini, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\swedish_iss.ini, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\System.Data.SQLite.DLL, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\TAFactory.IconPack.dll, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\unins000.exe, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\Program Files\Auto PC ~Speedup for {computername}\unins000.msg, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\WINDOWS\SYSTEM32\TASKS\Auto PC ~Speedup_Logon, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\Auto PC ~Speedup.lnk, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\USERS\PUBLIC\Desktop\Auto PC ~Speedup.lnk, Quarantined, [463], [603766],1.0.11096 PUP.Optional.PCVARK, C:\PROGRAMDATA\AUTO PC ~SPEEDUP FOR {computername}\OFFERS\A_P_T.EXE, Quarantined, [463], [583068],1.0.11096 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\LOCAL\TEMP\_IU14D2N.TMP, Quarantined, [463], [583068],1.0.11096 PUP.Optional.PCVARK, C:\USERS\{username}\DESKTOP\AUPSSETUP.EXE, Quarantined, [463], [602750],1.0.11096 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  3. What is SportMuze Search?The Malwarebytes research team has determined that SportMuze Search is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by SportMuze Search?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and this changed setting:How did SportMuze Search get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove SportMuze Search?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of SportMuze Search? No, Malwarebytes removes SportMuze Search completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the SportMuze Search hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxp://apps.searchalgo.com/search/?category=web&s=mpds&q={searchTerms} CHR DefaultSearchKeyword: Default -> Sport Reminder CHR DefaultSuggestURL: Default -> hxxp://sug.searchalgo.com/search/index_sg.php?q={searchTerms} CHR Extension: (Sport Reminder) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkcgfdgkbambgbobgkceeoalcdefpink [2019-06-17] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkcgfdgkbambgbobgkceeoalcdefpink\1.0.2_0 Adds the file background.js"="8/3/2016 10:15 AM, 4354 bytes, A Adds the file manifest.json"="6/17/2019 8:53 AM, 1808 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkcgfdgkbambgbobgkceeoalcdefpink\1.0.2_0\_metadata Adds the file computed_hashes.json"="6/17/2019 8:53 AM, 340 bytes, A Adds the file verified_contents.json"="1/25/2017 2:44 PM, 1763 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkcgfdgkbambgbobgkceeoalcdefpink\1.0.2_0\icons Adds the file icon128.png"="6/17/2019 8:53 AM, 7302 bytes, A Adds the file icon16.png"="6/17/2019 8:53 AM, 696 bytes, A Adds the file icon48.png"="8/3/2016 10:15 AM, 4104 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "jkcgfdgkbambgbobgkceeoalcdefpink"="REG_SZ", "58F4C52DFF5FEEA4AA3F95B33B75E04FFE73288F93C38362E1BB2A0861201655" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/17/19 Scan Time: 9:00 AM Log File: 8e6ebdba-90cd-11e9-a3ed-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.586 Update Package Version: 1.0.11090 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236157 Threats Detected: 16 Threats Quarantined: 16 Time Elapsed: 5 min, 14 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SearchAlgo.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|jkcgfdgkbambgbobgkceeoalcdefpink, Quarantined, [14769], [443230],1.0.11090 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 4 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkcgfdgkbambgbobgkceeoalcdefpink\1.0.2_0\_metadata, Quarantined, [14769], [443230],1.0.11090 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkcgfdgkbambgbobgkceeoalcdefpink\1.0.2_0\icons, Quarantined, [14769], [443230],1.0.11090 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkcgfdgkbambgbobgkceeoalcdefpink\1.0.2_0, Quarantined, [14769], [443230],1.0.11090 PUP.Optional.SearchAlgo.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JKCGFDGKBAMBGBOBGKCEEOALCDEFPINK, Quarantined, [14769], [443230],1.0.11090 File: 11 PUP.Optional.SearchAlgo.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [14769], [443230],1.0.11090 PUP.Optional.SearchAlgo.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [14769], [443230],1.0.11090 PUP.Optional.SearchAlgo.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JKCGFDGKBAMBGBOBGKCEEOALCDEFPINK\1.0.2_0\MANIFEST.JSON, Quarantined, [14769], [443230],1.0.11090 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkcgfdgkbambgbobgkceeoalcdefpink\1.0.2_0\icons\icon128.png, Quarantined, [14769], [443230],1.0.11090 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkcgfdgkbambgbobgkceeoalcdefpink\1.0.2_0\icons\icon16.png, Quarantined, [14769], [443230],1.0.11090 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkcgfdgkbambgbobgkceeoalcdefpink\1.0.2_0\icons\icon48.png, Quarantined, [14769], [443230],1.0.11090 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkcgfdgkbambgbobgkceeoalcdefpink\1.0.2_0\_metadata\computed_hashes.json, Quarantined, [14769], [443230],1.0.11090 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkcgfdgkbambgbobgkceeoalcdefpink\1.0.2_0\_metadata\verified_contents.json, Quarantined, [14769], [443230],1.0.11090 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkcgfdgkbambgbobgkceeoalcdefpink\1.0.2_0\background.js, Quarantined, [14769], [443230],1.0.11090 PUP.Optional.SearchAlgo, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [367], [454816],1.0.11090 PUP.Optional.SearchAlgo, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [367], [454816],1.0.11090 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  4. What is World Time News?The Malwarebytes research team has determined that World Time News is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one hijacks the search results and changes the newtab setting.How do I know if my computer is affected by World Time News?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and these changed settings:How did World Time News get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove World Time News?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of World Time News? No, Malwarebytes removes World Time News completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.The full version of Malwarebytes would have protected you against the World Time News hijacker. It would have blocked their website, giving you a chance to stop it before it became too late.Technical details for expertsPossible signs in FRST logs: CHR NewTab: Default -> Active:"chrome-extension://jpcbbgipjmebejlllpdkcgjogdnbbkhb/redirect.html" CHR DefaultSearchURL: Default -> hxxps://app.worldtime.news/?src=WorldTimeNews_ds&q={searchTerms} CHR DefaultSearchKeyword: Default -> keyword.WorldTimeNews CHR Extension: (WorldTimeNews Search) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpcbbgipjmebejlllpdkcgjogdnbbkhb [2019-06-14] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpcbbgipjmebejlllpdkcgjogdnbbkhb\0.3_0 Adds the file background.js"="5/26/2019 3:40 PM, 5591 bytes, A Adds the file logo.png"="6/14/2019 10:04 AM, 5917 bytes, A Adds the file manifest.json"="6/14/2019 10:04 AM, 2201 bytes, A Adds the file popup.html"="5/22/2019 3:07 PM, 533 bytes, A Adds the file redirect.html"="5/22/2019 3:07 PM, 366 bytes, A Adds the file redirect.js"="5/22/2019 3:46 PM, 1023 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpcbbgipjmebejlllpdkcgjogdnbbkhb\0.3_0\_metadata Adds the file computed_hashes.json"="6/14/2019 10:04 AM, 499 bytes, A Adds the file verified_contents.json"="5/26/2019 3:41 PM, 1844 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "jpcbbgipjmebejlllpdkcgjogdnbbkhb"="REG_SZ", "4DE519D5EC104DE300F324102B54FEF3526FF3DC339D1F8348ABE5753D9A967F" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/14/19 Scan Time: 10:24 AM Log File: c31cf150-8e7d-11e9-9298-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.586 Update Package Version: 1.0.11048 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236145 Threats Detected: 14 Threats Quarantined: 14 Time Elapsed: 4 min, 55 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.Imali.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|jpcbbgipjmebejlllpdkcgjogdnbbkhb, Quarantined, [4608], [443118],1.0.11048 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 3 PUP.Optional.Imali.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpcbbgipjmebejlllpdkcgjogdnbbkhb\0.3_0\_metadata, Quarantined, [4608], [443118],1.0.11048 PUP.Optional.Imali.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpcbbgipjmebejlllpdkcgjogdnbbkhb\0.3_0, Quarantined, [4608], [443118],1.0.11048 PUP.Optional.Imali.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JPCBBGIPJMEBEJLLLPDKCGJOGDNBBKHB, Quarantined, [4608], [443118],1.0.11048 File: 10 PUP.Optional.Imali.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [4608], [443118],1.0.11048 PUP.Optional.Imali.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [4608], [443118],1.0.11048 PUP.Optional.Imali.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JPCBBGIPJMEBEJLLLPDKCGJOGDNBBKHB\0.3_0\REDIRECT.JS, Quarantined, [4608], [443118],1.0.11048 PUP.Optional.Imali.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpcbbgipjmebejlllpdkcgjogdnbbkhb\0.3_0\_metadata\computed_hashes.json, Quarantined, [4608], [443118],1.0.11048 PUP.Optional.Imali.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpcbbgipjmebejlllpdkcgjogdnbbkhb\0.3_0\_metadata\verified_contents.json, Quarantined, [4608], [443118],1.0.11048 PUP.Optional.Imali.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpcbbgipjmebejlllpdkcgjogdnbbkhb\0.3_0\background.js, Quarantined, [4608], [443118],1.0.11048 PUP.Optional.Imali.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpcbbgipjmebejlllpdkcgjogdnbbkhb\0.3_0\logo.png, Quarantined, [4608], [443118],1.0.11048 PUP.Optional.Imali.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpcbbgipjmebejlllpdkcgjogdnbbkhb\0.3_0\manifest.json, Quarantined, [4608], [443118],1.0.11048 PUP.Optional.Imali.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpcbbgipjmebejlllpdkcgjogdnbbkhb\0.3_0\popup.html, Quarantined, [4608], [443118],1.0.11048 PUP.Optional.Imali.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpcbbgipjmebejlllpdkcgjogdnbbkhb\0.3_0\redirect.html, Quarantined, [4608], [443118],1.0.11048 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  5. What is DriverFixer?The Malwarebytes research team has determined that DriverFixer is a "driver updater". These so-called "system optimizers" sometimes use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with DriverFixer?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:You may see this entry in your list of installed programs:How did DriverFixer get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove DriverFixer?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of DriverFixer? No, Malwarebytes removes DriverFixer completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the DriverFixer installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for expertsYou may see these entries in FRST logs: (AppSmart) [File not signed] C:\Program Files (x86)\DriverFixer\DriverFixer.exe HKLM-x32\...\Run: [DriverFixer] => C:\Program Files (x86)\DriverFixer\DriverFixer.exe [945664 2017-02-15] (AppSmart) [File not signed] HKCU\...\Run: [DriverFixer] => C:\Program Files (x86)\DriverFixer\DriverFixer.exe [945664 2017-02-15] (AppSmart) [File not signed] C:\Users\Public\Desktop\DriverFixer.lnk C:\Users\{username}\AppData\Roaming\AppSmart C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverFixer C:\Program Files (x86)\DriverFixer DriverFixer (HKLM-x32\...\DriverFixer) (Version: 2.0.0.1 - AppSmart) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\DriverFixer Adds the file DriverFixer.exe"="2/15/2017 8:55 PM, 945664 bytes, A Adds the file DriverFixer.ico"="2/15/2017 7:54 PM, 32038 bytes, A Adds the file helper.exe"="2/15/2017 7:54 PM, 75264 bytes, A Adds the file Newtonsoft.Json.dll"="2/15/2017 7:54 PM, 440320 bytes, A Adds the file uninstall.exe"="6/13/2019 9:12 AM, 50091 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverFixer Adds the file DriverFixer.lnk"="6/13/2019 9:12 AM, 1061 bytes, A Adds the file Uninstall.lnk"="6/13/2019 9:12 AM, 1051 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\AppSmart\DriverFixer.exe_Url_tfdkqeyjc2zr0pc0rlgwpbke20wvg3qq\1.0.0.2 Adds the file log.txt"="6/13/2019 9:13 AM, 161 bytes, A Adds the file settings.config"="6/13/2019 9:13 AM, 1397 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file DriverFixer.lnk"="6/13/2019 9:12 AM, 1043 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\DriverFixer] "(Default)"="REG_SZ", "C:\Program Files (x86)\DriverFixer" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "DriverFixer"="REG_SZ", ""C:\Program Files (x86)\DriverFixer\DriverFixer.exe" /s" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DriverFixer] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\DriverFixer\DriverFixer.ico" "DisplayName"="REG_SZ", "DriverFixer" "DisplayVersion"="REG_SZ", "2.0.0.1" "Publisher"="REG_SZ", "AppSmart" "UninstallString"="REG_SZ", "C:\Program Files (x86)\DriverFixer\uninstall.exe" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "DriverFixer"="REG_SZ", ""C:\Program Files (x86)\DriverFixer\DriverFixer.exe" /s" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/13/19 Scan Time: 9:22 AM Log File: 0104cbd2-8dac-11e9-ac7d-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.586 Update Package Version: 1.0.11028 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236226 Threats Detected: 24 Threats Quarantined: 24 Time Elapsed: 9 min, 8 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.DriverFixer, C:\Program Files (x86)\DriverFixer\DriverFixer.exe, Quarantined, [857], [372096],1.0.11028 Module: 1 PUP.Optional.DriverFixer, C:\Program Files (x86)\DriverFixer\DriverFixer.exe, Quarantined, [857], [372096],1.0.11028 Registry Key: 4 PUP.Optional.DriverFixer, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DriverFixer, Quarantined, [857], [372096],1.0.11028 PUP.Optional.DriverFixer, HKLM\SOFTWARE\MICROSOFT\TRACING\DriverFixer_RASAPI32, Quarantined, [857], [372522],1.0.11028 PUP.Optional.DriverFixer, HKLM\SOFTWARE\MICROSOFT\TRACING\DriverFixer_RASMANCS, Quarantined, [857], [372522],1.0.11028 PUP.Optional.DriverFixer, HKLM\SOFTWARE\WOW6432NODE\DriverFixer, Quarantined, [857], [372523],1.0.11028 Registry Value: 2 PUP.Optional.DriverFixer, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|DriverFixer, Quarantined, [857], [372096],1.0.11028 PUP.Optional.DriverFixer, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|DriverFixer, Quarantined, [857], [372096],1.0.11028 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 4 PUP.Optional.DriverFixer, C:\PROGRAM FILES (X86)\DRIVERFIXER, Quarantined, [857], [372096],1.0.11028 PUP.Optional.DriverFixer, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DRIVERFIXER, Quarantined, [857], [372098],1.0.11028 PUP.Optional.DriverFixer, C:\Users\{username}\AppData\Roaming\AppSmart\DriverFixer.exe_Url_tfdkqeyjc2zr0pc0rlgwpbke20wvg3qq\1.0.0.2, Quarantined, [857], [372961],1.0.11028 PUP.Optional.DriverFixer, C:\USERS\{username}\APPDATA\ROAMING\APPSMART\DriverFixer.exe_Url_tfdkqeyjc2zr0pc0rlgwpbke20wvg3qq, Quarantined, [857], [372961],1.0.11028 File: 12 PUP.Optional.DriverFixer, C:\USERS\PUBLIC\DESKTOP\DRIVERFIXER.LNK, Quarantined, [857], [372097],1.0.11028 PUP.Optional.DriverFixer, C:\Program Files (x86)\DriverFixer\DriverFixer.exe, Quarantined, [857], [372096],1.0.11028 PUP.Optional.DriverFixer, C:\Program Files (x86)\DriverFixer\DriverFixer.ico, Quarantined, [857], [372096],1.0.11028 PUP.Optional.DriverFixer, C:\Program Files (x86)\DriverFixer\helper.exe, Quarantined, [857], [372096],1.0.11028 PUP.Optional.DriverFixer, C:\Program Files (x86)\DriverFixer\Newtonsoft.Json.dll, Quarantined, [857], [372096],1.0.11028 PUP.Optional.DriverFixer, C:\Program Files (x86)\DriverFixer\uninstall.exe, Quarantined, [857], [372096],1.0.11028 PUP.Optional.DriverFixer, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\DriverFixer.lnk, Quarantined, [857], [372096],1.0.11028 PUP.Optional.DriverFixer, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverFixer\DriverFixer.lnk, Quarantined, [857], [372098],1.0.11028 PUP.Optional.DriverFixer, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverFixer\Uninstall.lnk, Quarantined, [857], [372098],1.0.11028 PUP.Optional.DriverFixer, C:\Users\{username}\AppData\Roaming\AppSmart\DriverFixer.exe_Url_tfdkqeyjc2zr0pc0rlgwpbke20wvg3qq\1.0.0.2\log.txt, Quarantined, [857], [372961],1.0.11028 PUP.Optional.DriverFixer, C:\Users\{username}\AppData\Roaming\AppSmart\DriverFixer.exe_Url_tfdkqeyjc2zr0pc0rlgwpbke20wvg3qq\1.0.0.2\settings.config, Quarantined, [857], [372961],1.0.11028 PUP.Optional.DriverFixer, C:\USERS\{username}\DESKTOP\SETUP.EXE, Quarantined, [857], [372095],1.0.11028 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  6. What is Reading Cursors?The Malwarebytes research team has determined that Reading Cursors is a potentially unwanted program that behaves like adware.This particular one adds advertisements at the top of your Google search results.How do I know if my computer is affected by Reading Cursors?You may see these warnings during install:this icon in your Chrome menu-bar:and this entry in your list of installed Chrome extensions:Despite the claim on their website that there is a compatible extension for Firefox, you'll see this warning when you try to install it:How did Reading Cursors get on my computer?Adware applications use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Reading Cursors?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Reading Cursors? No, Malwarebytes removes Reading Cursors completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this adware.As you can see below the full version of Malwarebytes would have protected you against the Reading Cursors adware. It would have warned you about their website, giving you a chance to stop before it became too late. Technical details for expertsPossible signs in FRST logs: CHR Extension: (Reading Cursors) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljdhbmpgjoniipceolimmogfinbcofac [2019-06-12] Significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljdhbmpgjoniipceolimmogfinbcofac\0.0.6_0 Adds the file 128.png"="6/12/2019 9:16 AM, 1774 bytes, A Adds the file 16.png"="6/12/2019 9:16 AM, 555 bytes, A Adds the file 48.png"="6/12/2019 9:16 AM, 1872 bytes, A Adds the file background.js"="5/15/2019 2:50 PM, 3145 bytes, A Adds the file jquery-3.3.1.slim.js"="5/7/2019 10:12 AM, 313918 bytes, A Adds the file manifest.json"="6/12/2019 9:16 AM, 1281 bytes, A Adds the file page.js"="5/15/2019 11:19 AM, 1979 bytes, A Adds the file popup.html"="5/7/2019 10:12 AM, 451 bytes, A Adds the file popup.js"="5/7/2019 10:12 AM, 1764 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljdhbmpgjoniipceolimmogfinbcofac\0.0.6_0\_locales\en Adds the file messages.json"="6/12/2019 9:16 AM, 145 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljdhbmpgjoniipceolimmogfinbcofac\0.0.6_0\_metadata Adds the file computed_hashes.json"="6/12/2019 9:16 AM, 4129 bytes, A Adds the file verified_contents.json"="5/15/2019 2:19 PM, 2283 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ljdhbmpgjoniipceolimmogfinbcofac Adds the file 000003.log"="6/12/2019 9:17 AM, 493 bytes, A Adds the file CURRENT"="6/12/2019 9:17 AM, 16 bytes, A Adds the file LOCK"="6/12/2019 9:17 AM, 0 bytes, A Adds the file LOG"="6/12/2019 9:17 AM, 185 bytes, A Adds the file MANIFEST-000001"="6/12/2019 9:17 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ljdhbmpgjoniipceolimmogfinbcofac"="REG_SZ", "AFE740E14B34461CAEE3BDB4653E6B935C1081D21CC954CD99C840BE2A069901" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/12/19 Scan Time: 9:28 AM Log File: bac70f72-8ce3-11e9-b52c-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.586 Update Package Version: 1.0.11008 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236181 Threats Detected: 26 Threats Quarantined: 26 Time Elapsed: 6 min, 28 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.ResultSpark.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ljdhbmpgjoniipceolimmogfinbcofac, Quarantined, [14643], [689255],1.0.11008 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 6 PUP.Optional.ResultSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\ljdhbmpgjoniipceolimmogfinbcofac, Quarantined, [14643], [689255],1.0.11008 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljdhbmpgjoniipceolimmogfinbcofac\0.0.6_0\_locales\en, Quarantined, [14643], [689255],1.0.11008 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljdhbmpgjoniipceolimmogfinbcofac\0.0.6_0\_metadata, Quarantined, [14643], [689255],1.0.11008 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljdhbmpgjoniipceolimmogfinbcofac\0.0.6_0\_locales, Quarantined, [14643], [689255],1.0.11008 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljdhbmpgjoniipceolimmogfinbcofac\0.0.6_0, Quarantined, [14643], [689255],1.0.11008 PUP.Optional.ResultSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\LJDHBMPGJONIIPCEOLIMMOGFINBCOFAC, Quarantined, [14643], [689255],1.0.11008 File: 19 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ljdhbmpgjoniipceolimmogfinbcofac\000003.log, Quarantined, [14643], [689255],1.0.11008 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ljdhbmpgjoniipceolimmogfinbcofac\CURRENT, Quarantined, [14643], [689255],1.0.11008 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ljdhbmpgjoniipceolimmogfinbcofac\LOCK, Quarantined, [14643], [689255],1.0.11008 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ljdhbmpgjoniipceolimmogfinbcofac\LOG, Quarantined, [14643], [689255],1.0.11008 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ljdhbmpgjoniipceolimmogfinbcofac\MANIFEST-000001, Quarantined, [14643], [689255],1.0.11008 PUP.Optional.ResultSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [14643], [689255],1.0.11008 PUP.Optional.ResultSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [14643], [689255],1.0.11008 PUP.Optional.ResultSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\LJDHBMPGJONIIPCEOLIMMOGFINBCOFAC\0.0.6_0\BACKGROUND.JS, Quarantined, [14643], [689255],1.0.11008 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljdhbmpgjoniipceolimmogfinbcofac\0.0.6_0\_locales\en\messages.json, Quarantined, [14643], [689255],1.0.11008 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljdhbmpgjoniipceolimmogfinbcofac\0.0.6_0\_metadata\computed_hashes.json, Quarantined, [14643], [689255],1.0.11008 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljdhbmpgjoniipceolimmogfinbcofac\0.0.6_0\_metadata\verified_contents.json, Quarantined, [14643], [689255],1.0.11008 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljdhbmpgjoniipceolimmogfinbcofac\0.0.6_0\128.png, Quarantined, [14643], [689255],1.0.11008 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljdhbmpgjoniipceolimmogfinbcofac\0.0.6_0\16.png, Quarantined, [14643], [689255],1.0.11008 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljdhbmpgjoniipceolimmogfinbcofac\0.0.6_0\48.png, Quarantined, [14643], [689255],1.0.11008 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljdhbmpgjoniipceolimmogfinbcofac\0.0.6_0\jquery-3.3.1.slim.js, Quarantined, [14643], [689255],1.0.11008 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljdhbmpgjoniipceolimmogfinbcofac\0.0.6_0\manifest.json, Quarantined, [14643], [689255],1.0.11008 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljdhbmpgjoniipceolimmogfinbcofac\0.0.6_0\page.js, Quarantined, [14643], [689255],1.0.11008 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljdhbmpgjoniipceolimmogfinbcofac\0.0.6_0\popup.html, Quarantined, [14643], [689255],1.0.11008 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljdhbmpgjoniipceolimmogfinbcofac\0.0.6_0\popup.js, Quarantined, [14643], [689255],1.0.11008 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  7. What is mBytes System Care?The Malwarebytes research team has determined that mBytes System Care is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with mBytes System Care?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see this warning during install:and these screens during "operations":You may see this entry in your list of installed programs:and this task in your list of Scheduled Tasks:How did mBytes System Care get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove mBytes System Care?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of mBytes System Care? No, Malwarebytes removes mBytes System Care completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the mBytes System Care installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: (VINACLE SOFTWARES -> ) C:\Program Files\mBytes System Care for {computername}\rtc.exe Task: {7B843950-E2FE-4E61-84F3-AFDF5BBD3B81} - System32\Tasks\mBytes System Care_Logon => C:\Program Files\mBytes System Care for {computername}\rtc.exe [2302080 2019-05-29] (VINACLE SOFTWARES -> ) C:\Windows\System32\Tasks\mBytes System Care_Logon C:\Users\{username}\AppData\Roaming\mBytes System Care For {computername} C:\ProgramData\mBytes System Care for {computername} C:\Users\Public\Desktop\mBytes System Care.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\mBytes System Care for {computername} C:\Program Files\mBytes System Care for {computername} ( ) C:\Users\{username}\Downloads\mbscsetup.exe mBytes System Care (HKLM\...\{E353BB03-55C2-4570-AE8F-71E584519BE8}_is1) (Version: 1.0.0.0 - ) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\mBytes System Care for {computername} Adds the file application.ico"="4/24/2019 10:50 AM, 56150 bytes, A Adds the file german_iss.ini"="5/16/2018 11:25 AM, 2658 bytes, A Adds the file HtmlRenderer.dll"="5/29/2019 6:04 PM, 235136 bytes, A Adds the file HtmlRenderer.WinForms.dll"="5/29/2019 6:04 PM, 73856 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="5/29/2019 6:04 PM, 62592 bytes, A Adds the file Interop.SHDocVw.dll"="5/29/2019 6:04 PM, 177280 bytes, A Adds the file langs.db"="11/10/2018 3:17 PM, 477184 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="5/29/2019 6:04 PM, 184448 bytes, A Adds the file NAudio.dll"="5/29/2019 6:04 PM, 484480 bytes, A Adds the file Newtonsoft.Json.dll"="5/29/2019 6:04 PM, 474240 bytes, A Adds the file pimg.dll"="5/29/2019 6:04 PM, 1856128 bytes, A Adds the file rtc.exe"="5/29/2019 6:04 PM, 2302080 bytes, A Adds the file rtc.exe.config"="5/29/2019 6:04 PM, 6311 bytes, A Adds the file System.Data.SQLite.DLL"="5/29/2019 6:04 PM, 304256 bytes, A Adds the file TAFactory.IconPack.dll"="5/29/2019 6:04 PM, 50304 bytes, A Adds the file unins000.dat"="6/11/2019 9:00 AM, 84761 bytes, A Adds the file unins000.exe"="6/11/2019 9:00 AM, 1242240 bytes, A Adds the file unins000.msg"="6/11/2019 9:00 AM, 22701 bytes, A Adds the folder C:\Program Files\mBytes System Care for {computername}\x64 Adds the file SQLite.Interop.dll"="5/29/2019 6:04 PM, 1188992 bytes, A Adds the folder C:\Program Files\mBytes System Care for {computername}\x86 Adds the file SQLite.Interop.dll"="5/29/2019 6:04 PM, 867968 bytes, A Adds the folder C:\ProgramData\mBytes System Care for {computername} Adds the file mdb.db"="10/26/2018 10:37 AM, 6643712 bytes, A Adds the file pcspstartrepair_en.mp3"="5/16/2018 11:25 AM, 130973 bytes, A Adds the folder C:\ProgramData\mBytes System Care for {computername}\offers Adds the file a_p_t.exe"="6/11/2019 9:06 AM, 832040 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\mBytes System Care for {computername} Adds the file Buy mBytes System Care.lnk"="6/11/2019 9:00 AM, 1000 bytes, A Adds the file mBytes System Care.lnk"="6/11/2019 9:00 AM, 988 bytes, A Adds the file Uninstall mBytes System Care.lnk"="6/11/2019 9:00 AM, 1019 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\mBytes System Care For {computername} Adds the file a_p_t_2.xml"="6/11/2019 9:05 AM, 1206 bytes, A Adds the file Errorlog.txt"="6/11/2019 9:07 AM, 20392 bytes, A Adds the file exlist.bin"="6/11/2019 9:01 AM, 258019 bytes, A Adds the file notifier.xml"="6/11/2019 9:01 AM, 13002 bytes, A Adds the file res.xml"="6/11/2019 9:03 AM, 13999 bytes, A Adds the file update.xml"="6/11/2019 9:01 AM, 36042 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\mBytes System Care For {computername}\smico In the existing folder C:\Users\Public\Desktop Adds the file mBytes System Care.lnk"="6/11/2019 9:00 AM, 970 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file mBytes System Care_Logon"="6/11/2019 9:01 AM, 3078 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\bUJ5dGVzIFN5c3RlbSBDYXJl\ACT] "data"="REG_BINARY, ............................................................................................................ [HKEY_LOCAL_MACHINE\SOFTWARE\mBytes System Care For {computername}] "affired"="REG_DWORD", 1 "afterInstallUrl"="REG_SZ", "http://ins.trfactiv.com/install/mbsc/?" "apst"="REG_DWORD", 0 "buybowinapp"="REG_SZ", "http://store.unopcutils.club/mbsc/plan?" "cbkpoff"="REG_DWORD", 1 "country"="REG_SZ", "us" "cta"="REG_DWORD", 0 "delaytime"="REG_DWORD", 0 "dlllist"="REG_SZ", "PSMACHINE_64.DLL,MSSPELLCHECKINGFACILITY.DLL" "EmailURL"="REG_SZ", "" "expired"="REG_DWORD", 0 "hdata"="REG_BINARY, ............................................................................................................. "Installstring"="REG_SZ", "C:\Program Files\mBytes System Care for {computername}" "ipaddrurl"="REG_SZ", "http://www.trfactiv.com/getip/" "isavst"="REG_DWORD", 0 "ishow_apt"="REG_DWORD", 1 "isiunidu"="REG_DWORD", 0 "isprmjsn"="REG_DWORD", 0 "isshowng"="REG_DWORD", 1 "issilent"="REG_DWORD", 0 "ISTELNO"="REG_DWORD", 1 "LangCode"="REG_SZ", "en" "lstregscancount"="REG_DWORD", 35 "lstscandate"="REG_SZ", "6/11/2019 9:03:14 AM" "lstscanstat"="REG_DWORD", 2 "lstsecscancount"="REG_DWORD", 0 "lsttotalscancount"="REG_DWORD", 35 "ovoffdis"="REG_DWORD", 0 "paramurl"="REG_SZ", "http://trkr.trfactiv.com/ipfiles/" "pdtm"="REG_DWORD", 30 "playsound"="REG_DWORD", 1 "plurl"="REG_SZ", "http://pp.trfactiv.com/ProductPrice.svc/" "prereg"="REG_DWORD", 0 "PurchaseURL"="REG_SZ", "http://store.unopcutils.club/mbsc/price?" "reg"="REG_DWORD", 0 "RenewURL"="REG_SZ", "http://store.unopcutils.club/mbsc/renewal?" "runcam"="REG_DWORD", 1 "runpixel"="REG_DWORD", 1 "runsrc"="REG_DWORD", 1 "showtn"="REG_DWORD", 0 "showunins"="REG_DWORD", 0 "showwfo"="REG_DWORD", 0 "stdismax"="REG_DWORD", -1 "supporturl"="REG_SZ", "http://www.unopcutils.club/help/" "TELNO"="REG_SZ", "833-423-6820" "TELNO_ar"="REG_SZ", "+54 11 5236 0324" "TELNO_at"="REG_SZ", "+43 (0)720 902 309" "TELNO_au"="REG_SZ", "(61)280-733403" "TELNO_be"="REG_SZ", "+32-28085306" "TELNO_br"="REG_SZ", "+55 21 2391 4319" "TELNO_ch"="REG_SZ", "+41 (0)44 508 70 37" "TELNO_de"="REG_SZ", "0800 1822 974" "TELNO_dk"="REG_SZ", "+45 78 73 09 26" "TELNO_es"="REG_SZ", "+34 951 203 537" "TELNO_fi"="REG_SZ", "+358 (0)9 4270 4911" "TELNO_fr"="REG_SZ", "05 82 84 04 06" "TELNO_gb"="REG_SZ", "0800-031-5066" "TELNO_it"="REG_SZ", "+39 069 4802886" "TELNO_ja"="REG_SZ", "" "TELNO_lu"="REG_SZ", "0800 1822 974" "TELNO_nl"="REG_SZ", "+31-08-58882839" "TELNO_no"="REG_SZ", "+47 21 95 01 97" "TELNO_pt"="REG_SZ", "+351 70 750 2094" "TELNO_se"="REG_SZ", "+46-08124-10298" "TELNO_uk"="REG_SZ", "0800-031-5066" "TELNO_us"="REG_SZ", "833-423-6820" "WebURL"="REG_SZ", "http://www.unopcutils.club/" "wfoset"="REG_DWORD", 1 "x-ccode"="REG_SZ", "us" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "77_234_46_193" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E353BB03-55C2-4570-AE8F-71E584519BE8}_is1] "DisplayIcon"="REG_SZ", "C:\Program Files\mBytes System Care for {computername}\rtc.exe" "DisplayName"="REG_SZ", "mBytes System Care" "DisplayVersion"="REG_SZ", "1.0.0.0" "EstimatedSize"="REG_DWORD", 18267 "Inno Setup: App Path"="REG_SZ", "C:\Program Files\mBytes System Care for {computername}" "Inno Setup: Icon Group"="REG_SZ", "mBytes System Care for {computername}" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.8 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20190611" "InstallLocation"="REG_SZ", "C:\Program Files\mBytes System Care for {computername}\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "QuietUninstallString"="REG_SZ", ""C:\Program Files\mBytes System Care for {computername}\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files\mBytes System Care for {computername}\unins000.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\scd-pr] "affiliateid"="REG_SZ", "" "btnid"="REG_SZ", "" "country"="REG_SZ", "us" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "pxl"="REG_SZ", "" "referUrl"="REG_SZ", "" "TELNO"="REG_SZ", "" "utm_campaign"="REG_SZ", "" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "" "utm_source"="REG_SZ", "" "x-at"="REG_SZ", "" "x-context"="REG_SZ", "" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_CURRENT_USER\Software\AppCleaner.com] [HKEY_CURRENT_USER\Software\mBytes System Care For {computername}] "affiliateid"="REG_SZ", "" "InstallString"="REG_SZ", "C:\Program Files\mBytes System Care for {computername}" "LangCode"="REG_SZ", "en" "TELNO"="REG_SZ", "833-423-6820" "TELNO_us"="REG_SZ", "833-423-6820" "utm_medium"="REG_SZ", "" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "77_234_46_193" [HKEY_CURRENT_USER\Software\mBytes System Care For {computername}\1.0.0.0] "Installstring"="REG_SZ", "C:\Program Files\mBytes System Care for {computername}" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/11/19 Scan Time: 9:19 AM Log File: 43f3377e-8c19-11e9-a8fc-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.586 Update Package Version: 1.0.10990 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236253 Threats Detected: 80 Threats Quarantined: 80 Time Elapsed: 8 min, 32 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\rtc.exe, Quarantined, [463], [689191],1.0.10990 Module: 6 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\x64\SQLite.Interop.dll, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\rtc.exe, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\System.Data.SQLite.DLL, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\TAFactory.IconPack.dll, Quarantined, [463], [689191],1.0.10990 Registry Key: 8 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\mBytes System Care_Logon, Quarantined, [463], [689188],1.0.10990 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{7B843950-E2FE-4E61-84F3-AFDF5BBD3B81}, Quarantined, [463], [689188],1.0.10990 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{7B843950-E2FE-4E61-84F3-AFDF5BBD3B81}, Quarantined, [463], [689188],1.0.10990 PUP.Optional.PCVARK, HKLM\SOFTWARE\bUJ5dGVzIFN5c3RlbSBDYXJl, Quarantined, [463], [689211],1.0.10990 PUP.Optional.PCVARK, HKCU\SOFTWARE\mBytes System Care For {computername}, Quarantined, [463], [689648],1.0.10990 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{E353BB03-55C2-4570-AE8F-71E584519BE8}_is1, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, HKLM\SOFTWARE\SCD-PR, Quarantined, [463], [540842],1.0.10990 PUP.Optional.PCVARK, HKLM\SOFTWARE\mBytes System Care For {computername}, Quarantined, [463], [689189],1.0.10990 Registry Value: 6 PUP.Optional.PCVARK, HKCU\SOFTWARE\mBytes System Care For {computername}|AFFILIATEID, Quarantined, [463], [689648],1.0.10990 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{E353BB03-55C2-4570-AE8F-71E584519BE8}_is1|INSTALLLOCATION, Quarantined, [463], [689196],1.0.10990 PUP.Optional.PCVARK, HKLM\SOFTWARE\SCD-PR|AFFILIATEID, Quarantined, [463], [540842],1.0.10990 PUP.Optional.MasterPCCleaner, HKLM\SOFTWARE\SCD-PR|PXL, Quarantined, [1219], [484510],1.0.10990 PUP.Optional.PCVARK, HKLM\SOFTWARE\mBytes System Care For {computername}|AFFIRED, Quarantined, [463], [689189],1.0.10990 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{7B843950-E2FE-4E61-84F3-AFDF5BBD3B81}|PATH, Quarantined, [463], [689186],1.0.10990 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 8 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\x64, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\x86, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\PROGRAM FILES\mBytes System Care for {computername}, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\mBytes System Care for {computername}, Quarantined, [463], [689192],1.0.10990 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\mBytes System Care For {computername}\smico, Quarantined, [463], [689194],1.0.10990 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\mBytes System Care For {computername}, Quarantined, [463], [689194],1.0.10990 PUP.Optional.PCVARK, C:\ProgramData\mBytes System Care for {computername}\offers, Quarantined, [463], [689193],1.0.10990 PUP.Optional.PCVARK, C:\PROGRAMDATA\mBytes System Care for {computername}, Quarantined, [463], [689193],1.0.10990 File: 51 PUP.Optional.PCVARK, C:\WINDOWS\SYSTEM32\TASKS\mBytes System Care_Logon, Quarantined, [463], [689188],1.0.10990 PUP.Optional.PCVARK, C:\PROGRAM FILES\mBytes System Care for {computername}\unins000.dat, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\x64\SQLite.Interop.dll, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\x86\SQLite.Interop.dll, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\langs.db, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\application.ico, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\danish_iss.ini, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\Dutch_iss.ini, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\english_iss.ini, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\finish_iss.ini, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\French_iss.ini, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\german_iss.ini, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\HtmlRenderer.dll, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\HtmlRenderer.WinForms.dll, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\Interop.SHDocVw.dll, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\italian_iss.ini, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\japanese_iss.ini, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\NAudio.dll, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\Newtonsoft.Json.dll, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\norwegian_iss.ini, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\pimg.dll, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\portuguese_iss.ini, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\rtc.exe, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\rtc.exe.config, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\russian_iss.ini, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\spanish_iss.ini, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\swedish_iss.ini, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\System.Data.SQLite.DLL, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\TAFactory.IconPack.dll, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\unins000.exe, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\Program Files\mBytes System Care for {computername}\unins000.msg, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\mBytes System Care.lnk, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\USERS\PUBLIC\Desktop\mBytes System Care.lnk, Quarantined, [463], [689191],1.0.10990 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\mBytes System Care for {computername}\Buy mBytes System Care.lnk, Quarantined, [463], [689192],1.0.10990 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\mBytes System Care for {computername}\mBytes System Care.lnk, Quarantined, [463], [689192],1.0.10990 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\mBytes System Care for {computername}\Uninstall mBytes System Care.lnk, Quarantined, [463], [689192],1.0.10990 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\mBytes System Care For {computername}\Errorlog.txt, Quarantined, [463], [689194],1.0.10990 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\mBytes System Care For {computername}\a_p_t_2.xml, Quarantined, [463], [689194],1.0.10990 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\mBytes System Care For {computername}\exlist.bin, Quarantined, [463], [689194],1.0.10990 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\mBytes System Care For {computername}\notifier.xml, Quarantined, [463], [689194],1.0.10990 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\mBytes System Care For {computername}\res.xml, Quarantined, [463], [689194],1.0.10990 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\mBytes System Care For {computername}\update.xml, Quarantined, [463], [689194],1.0.10990 PUP.Optional.PCVARK, C:\PROGRAMDATA\mBytes System Care for {computername}\mdb.db, Quarantined, [463], [689193],1.0.10990 PUP.Optional.PCVARK, C:\ProgramData\mBytes System Care for {computername}\offers\a_p_t.exe, Quarantined, [463], [689193],1.0.10990 PUP.Optional.PCVARK, C:\ProgramData\mBytes System Care for {computername}\pcspstartrepair_en.mp3, Quarantined, [463], [689193],1.0.10990 PUP.Optional.PCVARK, C:\PROGRAMDATA\MBYTES SYSTEM CARE FOR {computername}\OFFERS\A_P_T.EXE, Quarantined, [463], [583068],1.0.10990 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\LOCAL\TEMP\_IU14D2N.TMP, Quarantined, [463], [583068],1.0.10990 PUP.Optional.PCVARK, C:\USERS\{username}\DOWNLOADS\MBSCSETUP.EXE, Quarantined, [463], [689647],1.0.10990 PUP.Optional.PCVARK, C:\USERS\{username}\DESKTOP\MBSCSETUP.EXE, Quarantined, [463], [689647],1.0.10990 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  8. What is Inspiring Quotes?The Malwarebytes research team has determined that Inspiring Quotes is a potentially unwanted program that behaves like adware.This particular one add advertisements at the top of Google search results.How do I know if my computer is affected by Inspiring Quotes?You may see these warnings during install:this icon in the Chrome menu-bar:which produces a prompt like this one when you click it:and this entry in your list of installed Chrome extensions:Despite the claim on their website that there is a compatible extension for Firefox, you'll see this warning when you try to install it:How did Inspiring Quotes get on my computer?Adware applications use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Inspiring Quotes?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Inspiring Quotes? No, Malwarebytes removes Inspiring Quotes completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this adware.As you can see below the full version of Malwarebytes would have protected you against the Inspiring Quotes adware. It would have warned you about the website before it became too late. Technical details for expertsPossible signs in FRST logs: CHR Extension: (Inspiring Quotes) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcjhkpmjagijnopidpkihniogcfjnma [2019-06-07] Significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcjhkpmjagijnopidpkihniogcfjnma\1.0.3_0 Adds the file manifest.json"="6/7/2019 9:17 AM, 6635 bytes, A Adds the file popup.html"="5/7/2019 4:58 PM, 852 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcjhkpmjagijnopidpkihniogcfjnma\1.0.3_0\_metadata Adds the file computed_hashes.json"="6/7/2019 9:17 AM, 3598 bytes, A Adds the file verified_contents.json"="5/13/2019 6:45 PM, 2435 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcjhkpmjagijnopidpkihniogcfjnma\1.0.3_0\assets Adds the file 128-logo.png"="6/7/2019 9:17 AM, 4891 bytes, A Adds the file 16-logo.png"="6/7/2019 9:17 AM, 600 bytes, A Adds the file 48-logo.png"="6/7/2019 9:17 AM, 1878 bytes, A Adds the file logo.png"="5/7/2019 4:58 PM, 50394 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcjhkpmjagijnopidpkihniogcfjnma\1.0.3_0\data Adds the file data.json"="5/7/2019 4:58 PM, 18772 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcjhkpmjagijnopidpkihniogcfjnma\1.0.3_0\js Adds the file background.js"="5/13/2019 7:38 PM, 1797 bytes, A Adds the file material.min.js"="5/7/2019 4:58 PM, 181118 bytes, A Adds the file p.js"="5/10/2019 3:08 PM, 943 bytes, A Adds the file setup.js"="5/7/2019 4:58 PM, 764 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jfcjhkpmjagijnopidpkihniogcfjnma Adds the file 000003.log"="6/7/2019 9:17 AM, 397 bytes, A Adds the file CURRENT"="6/7/2019 9:17 AM, 16 bytes, A Adds the file LOCK"="6/7/2019 9:17 AM, 0 bytes, A Adds the file LOG"="6/7/2019 9:17 AM, 184 bytes, A Adds the file MANIFEST-000001"="6/7/2019 9:17 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "jfcjhkpmjagijnopidpkihniogcfjnma"="REG_SZ", "3F6C218513C6CA75C20E9437104D0777427B8C31221789E824447BF7535E16B6" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/7/19 Scan Time: 9:26 AM Log File: 8caafa64-88f5-11e9-beca-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.586 Update Package Version: 1.0.10936 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236129 Threats Detected: 28 Threats Quarantined: 28 Time Elapsed: 6 min, 34 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.ResultSpark.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|jfcjhkpmjagijnopidpkihniogcfjnma, Quarantined, [14643], [685925],1.0.10936 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 PUP.Optional.ResultSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Extensions\jfcjhkpmjagijnopidpkihniogcfjnma, Quarantined, [14643], [685925],1.0.10936 PUP.Optional.ResultSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\jfcjhkpmjagijnopidpkihniogcfjnma, Quarantined, [14643], [685925],1.0.10936 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcjhkpmjagijnopidpkihniogcfjnma\1.0.3_0\_metadata, Quarantined, [14643], [685925],1.0.10936 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcjhkpmjagijnopidpkihniogcfjnma\1.0.3_0\assets, Quarantined, [14643], [685925],1.0.10936 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcjhkpmjagijnopidpkihniogcfjnma\1.0.3_0\data, Quarantined, [14643], [685925],1.0.10936 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcjhkpmjagijnopidpkihniogcfjnma\1.0.3_0\js, Quarantined, [14643], [685925],1.0.10936 PUP.Optional.ResultSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JFCJHKPMJAGIJNOPIDPKIHNIOGCFJNMA\1.0.3_0, Quarantined, [14643], [685925],1.0.10936 File: 20 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jfcjhkpmjagijnopidpkihniogcfjnma\000003.log, Quarantined, [14643], [685925],1.0.10936 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jfcjhkpmjagijnopidpkihniogcfjnma\CURRENT, Quarantined, [14643], [685925],1.0.10936 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jfcjhkpmjagijnopidpkihniogcfjnma\LOCK, Quarantined, [14643], [685925],1.0.10936 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jfcjhkpmjagijnopidpkihniogcfjnma\LOG, Quarantined, [14643], [685925],1.0.10936 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jfcjhkpmjagijnopidpkihniogcfjnma\MANIFEST-000001, Quarantined, [14643], [685925],1.0.10936 PUP.Optional.ResultSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [14643], [685925],1.0.10936 PUP.Optional.ResultSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [14643], [685925],1.0.10936 PUP.Optional.ResultSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JFCJHKPMJAGIJNOPIDPKIHNIOGCFJNMA\1.0.3_0\JS\BACKGROUND.JS, Quarantined, [14643], [685925],1.0.10936 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcjhkpmjagijnopidpkihniogcfjnma\1.0.3_0\assets\128-logo.png, Quarantined, [14643], [685925],1.0.10936 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcjhkpmjagijnopidpkihniogcfjnma\1.0.3_0\assets\16-logo.png, Quarantined, [14643], [685925],1.0.10936 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcjhkpmjagijnopidpkihniogcfjnma\1.0.3_0\assets\48-logo.png, Quarantined, [14643], [685925],1.0.10936 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcjhkpmjagijnopidpkihniogcfjnma\1.0.3_0\assets\logo.png, Quarantined, [14643], [685925],1.0.10936 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcjhkpmjagijnopidpkihniogcfjnma\1.0.3_0\data\data.json, Quarantined, [14643], [685925],1.0.10936 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcjhkpmjagijnopidpkihniogcfjnma\1.0.3_0\js\material.min.js, Quarantined, [14643], [685925],1.0.10936 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcjhkpmjagijnopidpkihniogcfjnma\1.0.3_0\js\p.js, Quarantined, [14643], [685925],1.0.10936 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcjhkpmjagijnopidpkihniogcfjnma\1.0.3_0\js\setup.js, Quarantined, [14643], [685925],1.0.10936 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcjhkpmjagijnopidpkihniogcfjnma\1.0.3_0\_metadata\computed_hashes.json, Quarantined, [14643], [685925],1.0.10936 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcjhkpmjagijnopidpkihniogcfjnma\1.0.3_0\_metadata\verified_contents.json, Quarantined, [14643], [685925],1.0.10936 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcjhkpmjagijnopidpkihniogcfjnma\1.0.3_0\manifest.json, Quarantined, [14643], [685925],1.0.10936 PUP.Optional.ResultSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcjhkpmjagijnopidpkihniogcfjnma\1.0.3_0\popup.html, Quarantined, [14643], [685925],1.0.10936 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  9. What is One Click Speedup?The Malwarebytes research team has determined that One Click Speedup is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with One Click Speedup?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see this warning during install:and these screens during "operations":You may see this entry in your list of installed programs:and this task in your list of Scheduled Tasks:How did One Click Speedup get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove One Click Speedup?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of One Click Speedup? No, Malwarebytes removes One Click Speedup completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the One Click Speedup installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: Task: {B4B3EF12-3A2D-4EEC-B8F8-0A0EBD375FB8} - System32\Tasks\One-Click Speedup_Logon => C:\Program Files\One-Click Speedup for {computername}\rtc.exe [2582232 2019-04-02] (QUICK SPEEDUP TOOLS -> ) C:\Users\{username}\AppData\Roaming\One-Click Speedup For {computername} C:\ProgramData\One-Click Speedup for {computername} C:\Windows\System32\Tasks\One-Click Speedup_Logon C:\Users\Public\Desktop\One-Click Speedup.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\One-Click Speedup for {computername} C:\Program Files\One-Click Speedup for {computername} ( ) C:\Users\{username}\Desktop\ocssetup.exe One-Click Speedup (HKLM\...\{90A1B542-3C30-415B-9192-0409CAF8E7E8}_is1) (Version: 1.0.0.11 - ) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\One-Click Speedup for {computername} Adds the file application.ico"="1/24/2019 1:41 PM, 56150 bytes, A Adds the file german_iss.ini"="5/16/2018 11:25 AM, 2658 bytes, A Adds the file gmtrs.dll"="4/2/2019 4:17 PM, 1989848 bytes, A Adds the file HtmlRenderer.dll"="4/2/2019 4:17 PM, 235736 bytes, A Adds the file HtmlRenderer.WinForms.dll"="4/2/2019 4:17 PM, 74456 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="4/2/2019 4:17 PM, 63192 bytes, A Adds the file Interop.SHDocVw.dll"="4/2/2019 4:17 PM, 177880 bytes, A Adds the file langs.db"="11/10/2018 3:17 PM, 477184 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="4/2/2019 4:17 PM, 185048 bytes, A Adds the file NAudio.dll"="4/2/2019 4:17 PM, 485080 bytes, A Adds the file Newtonsoft.Json.dll"="4/2/2019 4:17 PM, 474840 bytes, A Adds the file PaddleCheckoutSDK.dll"="4/2/2019 4:17 PM, 72920 bytes, A Adds the file rtc.exe"="4/2/2019 4:17 PM, 2582232 bytes, A Adds the file rtc.exe.config"="4/2/2019 4:16 PM, 6399 bytes, A Adds the file System.Data.SQLite.DLL"="4/2/2019 4:17 PM, 304856 bytes, A Adds the file TAFactory.IconPack.dll"="4/2/2019 4:17 PM, 50904 bytes, A Adds the file unins000.dat"="6/6/2019 9:42 AM, 85479 bytes, A Adds the file unins000.exe"="6/6/2019 9:41 AM, 1242840 bytes, A Adds the file unins000.msg"="6/6/2019 9:42 AM, 22701 bytes, A Adds the folder C:\Program Files\One-Click Speedup for {computername}\x64 Adds the file SQLite.Interop.dll"="4/2/2019 4:17 PM, 1189592 bytes, A Adds the folder C:\Program Files\One-Click Speedup for {computername}\x86 Adds the file SQLite.Interop.dll"="4/2/2019 4:17 PM, 868568 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\One-Click Speedup for {computername} Adds the file Buy One-Click Speedup.lnk"="6/6/2019 9:42 AM, 993 bytes, A Adds the file One-Click Speedup.lnk"="6/6/2019 9:42 AM, 981 bytes, A Adds the file Uninstall One-Click Speedup.lnk"="6/6/2019 9:42 AM, 1012 bytes, A Adds the folder C:\ProgramData\One-Click Speedup for {computername} Adds the file mdb.db"="10/26/2018 10:37 AM, 6643712 bytes, A Adds the file pcspstartrepair_en.mp3"="5/16/2018 11:25 AM, 130973 bytes, A Adds the folder C:\ProgramData\One-Click Speedup for {computername}\offers Adds the file a_p_t.exe"="6/6/2019 9:46 AM, 832040 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\One-Click Speedup For {computername} Adds the file a_p_t_2.xml"="6/6/2019 9:46 AM, 1206 bytes, A Adds the file Errorlog.txt"="6/6/2019 9:48 AM, 22010 bytes, A Adds the file exlist.bin"="6/6/2019 9:42 AM, 258019 bytes, A Adds the file notifier.xml"="6/6/2019 9:42 AM, 14636 bytes, A Adds the file res.xml"="6/6/2019 9:44 AM, 13995 bytes, A Adds the file update.xml"="6/6/2019 9:42 AM, 40004 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\One-Click Speedup For {computername}\smico In the existing folder C:\Users\Public\Desktop Adds the file One-Click Speedup.lnk"="6/6/2019 9:42 AM, 963 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file One-Click Speedup_Logon"="6/6/2019 9:42 AM, 3076 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90A1B542-3C30-415B-9192-0409CAF8E7E8}_is1] "DisplayIcon"="REG_SZ", "C:\Program Files\One-Click Speedup for {computername}\rtc.exe" "DisplayName"="REG_SZ", "One-Click Speedup" "DisplayVersion"="REG_SZ", "1.0.0.11" "EstimatedSize"="REG_DWORD", 18880 "Inno Setup: App Path"="REG_SZ", "C:\Program Files\One-Click Speedup for {computername}" "Inno Setup: Icon Group"="REG_SZ", "One-Click Speedup for {computername}" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.8 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20190606" "InstallLocation"="REG_SZ", "C:\Program Files\One-Click Speedup for {computername}\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "QuietUninstallString"="REG_SZ", ""C:\Program Files\One-Click Speedup for {computername}\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files\One-Click Speedup for {computername}\unins000.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\One-Click Speedup For {computername}] "affired"="REG_DWORD", 1 "afterInstallUrl"="REG_SZ", "http://ins.trfactiv.com/install/ocs/?" "apst"="REG_DWORD", 0 "buybowinapp"="REG_SZ", "http://store.qbitmypcutils.club/ocs/plan?" "cbkpoff"="REG_DWORD", 1 "country"="REG_SZ", "us" "cta"="REG_DWORD", 0 "delaytime"="REG_DWORD", 0 "dlllist"="REG_SZ", "PSMACHINE_64.DLL,MSSPELLCHECKINGFACILITY.DLL" "EmailURL"="REG_SZ", "" "expired"="REG_DWORD", 0 "hdata"="REG_BINARY, ........................................................................................................... "Installstring"="REG_SZ", "C:\Program Files\One-Click Speedup for {computername}" "ipaddrurl"="REG_SZ", "http://www.trfactiv.com/getip/" "isavst"="REG_DWORD", 0 "ishow_apt"="REG_DWORD", 1 "isiunidu"="REG_DWORD", 0 "isprmjsn"="REG_DWORD", 0 "isshowng"="REG_DWORD", 1 "issilent"="REG_DWORD", 0 "ISTELNO"="REG_DWORD", 1 "LangCode"="REG_SZ", "en" "lstregscancount"="REG_DWORD", 35 "lstscandate"="REG_SZ", "6/6/2019 9:44:07 AM" "lstscanstat"="REG_DWORD", 2 "lstsecscancount"="REG_DWORD", 0 "lsttotalscancount"="REG_DWORD", 35 "ovoffdis"="REG_DWORD", 0 "paramurl"="REG_SZ", "http://trkr.trfactiv.com/ipfiles/" "pdtm"="REG_DWORD", 30 "playsound"="REG_DWORD", 1 "plurl"="REG_SZ", "http://pp.trfactiv.com/ProductPrice.svc/" "prereg"="REG_DWORD", 0 "PurchaseURL"="REG_SZ", "http://store.qbitmypcutils.club/ocs/price?" "reg"="REG_DWORD", 0 "RenewURL"="REG_SZ", "http://store.qbitmypcutils.club/ocs/renewal?" "runcam"="REG_DWORD", 1 "runpixel"="REG_DWORD", 1 "runsrc"="REG_DWORD", 1 "showtn"="REG_DWORD", 0 "showunins"="REG_DWORD", 0 "showwfo"="REG_DWORD", 0 "stdismax"="REG_DWORD", -1 "supporturl"="REG_SZ", "http://www.qbitmypcutils.club/help/" "TELNO"="REG_SZ", "833-423-6820" "TELNO_ar"="REG_SZ", "+54 11 5236 0324" "TELNO_at"="REG_SZ", "+43 (0)720 902 309" "TELNO_au"="REG_SZ", "(61)280-733403" "TELNO_be"="REG_SZ", "+32-28085306" "TELNO_br"="REG_SZ", "+55 21 2391 4319" "TELNO_ch"="REG_SZ", "+41 (0)44 508 70 37" "TELNO_de"="REG_SZ", "0800 1822 974" "TELNO_dk"="REG_SZ", "+45 78 73 09 26" "TELNO_es"="REG_SZ", "+34 951 203 537" "TELNO_fi"="REG_SZ", "+358 (0)9 4270 4911" "TELNO_fr"="REG_SZ", "05 82 84 04 06" "TELNO_gb"="REG_SZ", "0800-031-5066" "TELNO_it"="REG_SZ", "+39 069 4802886" "TELNO_ja"="REG_SZ", "" "TELNO_lu"="REG_SZ", "0800 1822 974" "TELNO_nl"="REG_SZ", "+31-08-58882839" "TELNO_no"="REG_SZ", "+47 21 95 01 97" "TELNO_pt"="REG_SZ", "+351 70 750 2094" "TELNO_se"="REG_SZ", "+46-08124-10298" "TELNO_uk"="REG_SZ", "0800-031-5066" "TELNO_us"="REG_SZ", "833-423-6820" "WebURL"="REG_SZ", "http://www.qbitmypcutils.club/" "wfoset"="REG_DWORD", 1 "x-ccode"="REG_SZ", "us" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "89_187_178_203" [HKEY_LOCAL_MACHINE\SOFTWARE\scd-pr] "affiliateid"="REG_SZ", "" "btnid"="REG_SZ", "" "country"="REG_SZ", "us" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "pxl"="REG_SZ", "" "referUrl"="REG_SZ", "" "TELNO"="REG_SZ", "" "utm_campaign"="REG_SZ", "" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "" "utm_source"="REG_SZ", "" "x-at"="REG_SZ", "" "x-context"="REG_SZ", "" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\T25lLUNsaWNrIFNwZWVkdXA=\ACT] "data"="REG_BINARY, ............................................................................................................... [HKEY_CURRENT_USER\Software\AppCleaner.com] [HKEY_CURRENT_USER\Software\One-Click Speedup For {computername}] "affiliateid"="REG_SZ", "" "InstallString"="REG_SZ", "C:\Program Files\One-Click Speedup for {computername}" "LangCode"="REG_SZ", "en" "TELNO"="REG_SZ", "833-423-6820" "TELNO_us"="REG_SZ", "833-423-6820" "utm_medium"="REG_SZ", "" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "89_187_178_203" [HKEY_CURRENT_USER\Software\One-Click Speedup For {computername}\1.0.0.11] "Installstring"="REG_SZ", "C:\Program Files\One-Click Speedup for {computername}" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/6/19 Scan Time: 11:15 AM Log File: a11e308e-883b-11e9-ad21-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.586 Update Package Version: 1.0.10922 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236272 Threats Detected: 81 Threats Quarantined: 81 Time Elapsed: 12 min, 34 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\rtc.exe, Quarantined, [464], [633131],1.0.10922 Module: 7 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\x64\SQLite.Interop.dll, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\PaddleCheckoutSDK.dll, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\rtc.exe, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\System.Data.SQLite.DLL, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\TAFactory.IconPack.dll, Quarantined, [464], [633131],1.0.10922 Registry Key: 8 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{B4B3EF12-3A2D-4EEC-B8F8-0A0EBD375FB8}, Quarantined, [464], [633126],1.0.10922 PUP.Optional.PCVARK, HKLM\SOFTWARE\One-Click Speedup For {computername}, Quarantined, [464], [633129],1.0.10922 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{B4B3EF12-3A2D-4EEC-B8F8-0A0EBD375FB8}, Quarantined, [464], [633125],1.0.10922 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\One-Click Speedup_Logon, Quarantined, [464], [633125],1.0.10922 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{90A1B542-3C30-415B-9192-0409CAF8E7E8}_is1, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, HKCU\SOFTWARE\One-Click Speedup For {computername}, Quarantined, [464], [641234],1.0.10922 PUP.Optional.PCVARK, HKLM\SOFTWARE\SCD-PR, Quarantined, [464], [540842],1.0.10922 PUP.Optional.PCVARK, HKLM\SOFTWARE\T25lLUNsaWNrIFNwZWVkdXA=, Quarantined, [464], [656565],1.0.10922 Registry Value: 6 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{B4B3EF12-3A2D-4EEC-B8F8-0A0EBD375FB8}|PATH, Quarantined, [464], [633126],1.0.10922 PUP.Optional.PCVARK, HKLM\SOFTWARE\One-Click Speedup For {computername}|AFFIRED, Quarantined, [464], [633129],1.0.10922 PUP.Optional.PCVARK, HKCU\SOFTWARE\One-Click Speedup For {computername}|TELNO_US, Quarantined, [464], [641234],1.0.10922 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{90A1B542-3C30-415B-9192-0409CAF8E7E8}_is1|DISPLAYNAME, Quarantined, [464], [633138],1.0.10922 PUP.Optional.PCVARK, HKLM\SOFTWARE\SCD-PR|AFFILIATEID, Quarantined, [464], [540842],1.0.10922 PUP.Optional.MasterPCCleaner, HKLM\SOFTWARE\SCD-PR|PXL, Quarantined, [1220], [484510],1.0.10922 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 8 PUP.Optional.PCVARK, C:\ProgramData\One-Click Speedup for {computername}\offers, Quarantined, [464], [633133],1.0.10922 PUP.Optional.PCVARK, C:\PROGRAMDATA\One-Click Speedup for {computername}, Quarantined, [464], [633133],1.0.10922 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\One-Click Speedup for {computername}, Quarantined, [464], [633132],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\x64, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\x86, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\PROGRAM FILES\One-Click Speedup for {computername}, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\One-Click Speedup For {computername}\smico, Quarantined, [464], [633134],1.0.10922 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\One-Click Speedup For {computername}, Quarantined, [464], [633134],1.0.10922 File: 51 PUP.Optional.PCVARK, C:\PROGRAMDATA\One-Click Speedup for {computername}\mdb.db, Quarantined, [464], [633133],1.0.10922 PUP.Optional.PCVARK, C:\ProgramData\One-Click Speedup for {computername}\offers\a_p_t.exe, Quarantined, [464], [633133],1.0.10922 PUP.Optional.PCVARK, C:\ProgramData\One-Click Speedup for {computername}\pcspstartrepair_en.mp3, Quarantined, [464], [633133],1.0.10922 PUP.Optional.PCVARK, C:\WINDOWS\SYSTEM32\TASKS\ONE-CLICK SPEEDUP_LOGON, Quarantined, [464], [633125],1.0.10922 PUP.Optional.PCVARK, C:\USERS\PUBLIC\DESKTOP\One-Click Speedup.lnk, Quarantined, [464], [633137],1.0.10922 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\One-Click Speedup for {computername}\Buy One-Click Speedup.lnk, Quarantined, [464], [633132],1.0.10922 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\One-Click Speedup for {computername}\One-Click Speedup.lnk, Quarantined, [464], [633132],1.0.10922 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\One-Click Speedup for {computername}\Uninstall One-Click Speedup.lnk, Quarantined, [464], [633132],1.0.10922 PUP.Optional.PCVARK, C:\PROGRAM FILES\One-Click Speedup for {computername}\unins000.dat, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\x64\SQLite.Interop.dll, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\x86\SQLite.Interop.dll, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\application.ico, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\danish_iss.ini, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\Dutch_iss.ini, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\english_iss.ini, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\finish_iss.ini, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\French_iss.ini, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\german_iss.ini, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\gmtrs.dll, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\HtmlRenderer.dll, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\HtmlRenderer.WinForms.dll, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\Interop.SHDocVw.dll, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\italian_iss.ini, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\japanese_iss.ini, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\langs.db, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\NAudio.dll, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\Newtonsoft.Json.dll, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\norwegian_iss.ini, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\PaddleCheckoutSDK.dll, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\portuguese_iss.ini, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\rtc.exe, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\rtc.exe.config, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\russian_iss.ini, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\spanish_iss.ini, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\swedish_iss.ini, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\System.Data.SQLite.DLL, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\TAFactory.IconPack.dll, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\unins000.exe, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\Program Files\One-Click Speedup for {computername}\unins000.msg, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\One-Click Speedup.lnk, Quarantined, [464], [633131],1.0.10922 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\One-Click Speedup For {computername}\Errorlog.txt, Quarantined, [464], [633134],1.0.10922 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\One-Click Speedup For {computername}\a_p_t_2.xml, Quarantined, [464], [633134],1.0.10922 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\One-Click Speedup For {computername}\exlist.bin, Quarantined, [464], [633134],1.0.10922 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\One-Click Speedup For {computername}\notifier.xml, Quarantined, [464], [633134],1.0.10922 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\One-Click Speedup For {computername}\res.xml, Quarantined, [464], [633134],1.0.10922 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\One-Click Speedup For {computername}\update.xml, Quarantined, [464], [633134],1.0.10922 PUP.Optional.PCVARK, C:\PROGRAMDATA\ONE-CLICK SPEEDUP FOR {computername}\OFFERS\A_P_T.EXE, Quarantined, [464], [583068],1.0.10922 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\LOCAL\TEMP\_IU14D2N.TMP, Quarantined, [464], [583068],1.0.10922 PUP.Optional.PCVARK, C:\USERS\{username}\DESKTOP\OCSSETUP.EXE, Quarantined, [464], [687514],1.0.10922 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  10. What is Easy Speedtest?The Malwarebytes research team has determined that Easy Speedtest is a potentially unwanted program that behaves like adware.This particular one adds advertisements at the top of the Google search results.How do I know if my computer is affected by Easy Speedtest?You may see these warnings during install: and this entry in your list of installed Chrome extensions: You will see this icon in your Chrome menu-bar: and this screen when you click on that icon: How did Easy Speedtest get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: Even though the website says the extension is compatible with Firefox, you will see this prompt when you try to install: How do I remove Easy Speedtest?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Easy Speedtest? No, Malwarebytes removes Easy Speedtest completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this adware.As you can see below the full version of Malwarebytes would have protected you against the Easy Speedtest adware. It would have blocked the website before it became too late. Technical details for expertsPossible signs in FRST logs: CHR Extension: (Easy Speedtest) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfnnfabidihajnbhndladhkacekfhemi [2019-06-05] Significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfnnfabidihajnbhndladhkacekfhemi\1.0.3_0 Adds the file manifest.json"="6/5/2019 9:19 AM, 6628 bytes, A Adds the file popup.html"="5/10/2019 3:08 PM, 307 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfnnfabidihajnbhndladhkacekfhemi\1.0.3_0\_metadata Adds the file computed_hashes.json"="6/5/2019 9:19 AM, 15446 bytes, A Adds the file verified_contents.json"="5/13/2019 6:47 PM, 2097 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfnnfabidihajnbhndladhkacekfhemi\1.0.3_0\assets Adds the file 128-logo.png"="6/5/2019 9:19 AM, 19618 bytes, A Adds the file 16-logo.png"="6/5/2019 9:19 AM, 891 bytes, A Adds the file 48-logo.png"="6/5/2019 9:19 AM, 5126 bytes, A Adds the file logo.png"="5/7/2019 4:58 PM, 1306788 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfnnfabidihajnbhndladhkacekfhemi\1.0.3_0\js Adds the file background.js"="5/7/2019 4:58 PM, 1796 bytes, A Adds the file p.js"="5/10/2019 3:08 PM, 943 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kfnnfabidihajnbhndladhkacekfhemi Adds the file 000003.log"="6/5/2019 9:20 AM, 409 bytes, A Adds the file CURRENT"="6/5/2019 9:19 AM, 16 bytes, A Adds the file LOCK"="6/5/2019 9:19 AM, 0 bytes, A Adds the file LOG"="6/5/2019 9:20 AM, 183 bytes, A Adds the file MANIFEST-000001"="6/5/2019 9:19 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "kfnnfabidihajnbhndladhkacekfhemi"="REG_SZ", "5D9B6AD9E8021564C1FE36238959121BB7A6F8195F57154D63F7D2AAA6E0BDFB" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/5/19 Scan Time: 9:28 AM Log File: 8eca1dae-8763-11e9-b04c-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.586 Update Package Version: 1.0.10906 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236296 Threats Detected: 24 Threats Quarantined: 24 Time Elapsed: 5 min, 23 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.PolarityTech, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|kfnnfabidihajnbhndladhkacekfhemi, Quarantined, [422], [683603],1.0.10906 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 6 PUP.Optional.PolarityTech, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\kfnnfabidihajnbhndladhkacekfhemi, Quarantined, [422], [683603],1.0.10906 PUP.Optional.PolarityTech, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfnnfabidihajnbhndladhkacekfhemi\1.0.3_0\_metadata, Quarantined, [422], [683603],1.0.10906 PUP.Optional.PolarityTech, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfnnfabidihajnbhndladhkacekfhemi\1.0.3_0\assets, Quarantined, [422], [683603],1.0.10906 PUP.Optional.PolarityTech, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfnnfabidihajnbhndladhkacekfhemi\1.0.3_0\js, Quarantined, [422], [683603],1.0.10906 PUP.Optional.PolarityTech, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfnnfabidihajnbhndladhkacekfhemi\1.0.3_0, Quarantined, [422], [683603],1.0.10906 PUP.Optional.PolarityTech, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KFNNFABIDIHAJNBHNDLADHKACEKFHEMI, Quarantined, [422], [683603],1.0.10906 File: 17 PUP.Optional.PolarityTech, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kfnnfabidihajnbhndladhkacekfhemi\000003.log, Quarantined, [422], [683603],1.0.10906 PUP.Optional.PolarityTech, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kfnnfabidihajnbhndladhkacekfhemi\CURRENT, Quarantined, [422], [683603],1.0.10906 PUP.Optional.PolarityTech, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kfnnfabidihajnbhndladhkacekfhemi\LOCK, Quarantined, [422], [683603],1.0.10906 PUP.Optional.PolarityTech, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kfnnfabidihajnbhndladhkacekfhemi\LOG, Quarantined, [422], [683603],1.0.10906 PUP.Optional.PolarityTech, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kfnnfabidihajnbhndladhkacekfhemi\MANIFEST-000001, Quarantined, [422], [683603],1.0.10906 PUP.Optional.PolarityTech, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [422], [683603],1.0.10906 PUP.Optional.PolarityTech, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [422], [683603],1.0.10906 PUP.Optional.PolarityTech, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KFNNFABIDIHAJNBHNDLADHKACEKFHEMI\1.0.3_0\MANIFEST.JSON, Quarantined, [422], [683603],1.0.10906 PUP.Optional.PolarityTech, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfnnfabidihajnbhndladhkacekfhemi\1.0.3_0\assets\128-logo.png, Quarantined, [422], [683603],1.0.10906 PUP.Optional.PolarityTech, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfnnfabidihajnbhndladhkacekfhemi\1.0.3_0\assets\16-logo.png, Quarantined, [422], [683603],1.0.10906 PUP.Optional.PolarityTech, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfnnfabidihajnbhndladhkacekfhemi\1.0.3_0\assets\48-logo.png, Quarantined, [422], [683603],1.0.10906 PUP.Optional.PolarityTech, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfnnfabidihajnbhndladhkacekfhemi\1.0.3_0\assets\logo.png, Quarantined, [422], [683603],1.0.10906 PUP.Optional.PolarityTech, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfnnfabidihajnbhndladhkacekfhemi\1.0.3_0\js\background.js, Quarantined, [422], [683603],1.0.10906 PUP.Optional.PolarityTech, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfnnfabidihajnbhndladhkacekfhemi\1.0.3_0\js\p.js, Quarantined, [422], [683603],1.0.10906 PUP.Optional.PolarityTech, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfnnfabidihajnbhndladhkacekfhemi\1.0.3_0\_metadata\computed_hashes.json, Quarantined, [422], [683603],1.0.10906 PUP.Optional.PolarityTech, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfnnfabidihajnbhndladhkacekfhemi\1.0.3_0\_metadata\verified_contents.json, Quarantined, [422], [683603],1.0.10906 PUP.Optional.PolarityTech, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfnnfabidihajnbhndladhkacekfhemi\1.0.3_0\popup.html, Quarantined, [422], [683603],1.0.10906 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  11. What is Advanced Driver Booster?The Malwarebytes research team has determined that Advanced Driver Booster is a "driver updater". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found in our blogpost Driver Updaters: Digital Snake Oil, Part 2.How do I know if I am infected with Advanced Driver Booster?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see these warnings during install: and these screens during "operations":You may see this entry in your list of installed programs: and this task in your list of Scheduled Tasks:How did Advanced Driver Booster get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website: How do I remove Advanced Driver Booster?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Advanced Driver Booster? No, Malwarebytes removes Advanced Driver Booster completely. This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the Advanced Driver Booster installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for expertsYou may see these entries in FRST logs: (advancepctools.net) [File not signed] C:\Program Files\Advanced Driver Booster\adb.exe Task: {FF22EF59-CE35-437A-B604-09DB10B8AD24} - System32\Tasks\Advanced Driver Booster_Logon => C:\Program Files\Advanced Driver Booster\adb.exe [2379776 2019-05-30] (advancepctools.net) [File not signed] C:\Users\Public\Desktop\Advanced Driver Booster.lnk C:\Windows\System32\Tasks\Advanced Driver Booster_Logon C:\Users\{username}\AppData\Roaming\acc.txt C:\Users\{username}\AppData\Roaming\advancepctools.net C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced Driver Booster C:\Program Files\Advanced Driver Booster Advanced Driver Booster (HKLM\...\{3F742BD4-59D0-467A-B2EB-A9984FB1E969}_is1) (Version: 1.0.0.0 - advanceddriverbooster.com) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\Advanced Driver Booster Adds the file adb.exe"="5/30/2019 5:59 PM, 2379776 bytes, A Adds the file adb.exe.config"="5/30/2019 4:50 PM, 3858 bytes, A Adds the file AdvDBResource.dll"="5/30/2019 5:50 PM, 2964480 bytes, A Adds the file Application_icon.png"="5/30/2019 12:59 PM, 17499 bytes, A Adds the file danish_iss.ini"="5/30/2019 12:58 PM, 2400 bytes, A Adds the file Delimon.Win32.IO.dll"="5/30/2019 12:59 PM, 957832 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="5/30/2019 12:59 PM, 56712 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="5/30/2019 12:58 PM, 178568 bytes, A Adds the file Microsoft.WindowsAPICodePack.dll"="5/30/2019 12:59 PM, 105864 bytes, A Adds the file Microsoft.WindowsAPICodePack.Shell.dll"="5/30/2019 12:59 PM, 549768 bytes, A Adds the file System.ServiceModel.dll"="5/30/2019 12:59 PM, 6000008 bytes, A Adds the file TAFactory.IconPack.dll"="5/30/2019 12:59 PM, 44424 bytes, A Adds the file TaskScheduler.dll"="5/30/2019 12:59 PM, 48520 bytes, A Adds the file unins000.dat"="6/4/2019 9:17 AM, 90883 bytes, A Adds the file unins000.exe"="6/4/2019 9:17 AM, 1630409 bytes, A Adds the file Windows.winmd"="5/30/2019 12:59 PM, 1444232 bytes, A Adds the folder C:\Program Files\Advanced Driver Booster\dp Adds the file 7z.dll"="5/30/2019 12:59 PM, 872840 bytes, A Adds the file 7z.exe"="5/30/2019 12:59 PM, 169352 bytes, A Adds the file AdvDBPath.exe"="5/30/2019 2:33 PM, 259072 bytes, A Adds the file difxapi.dll"="5/30/2019 12:59 PM, 323464 bytes, A Adds the file difxapi64.dll"="5/30/2019 12:59 PM, 519048 bytes, A Adds the file DPInst32.exe"="5/30/2019 12:59 PM, 552840 bytes, A Adds the file DPInst64.exe"="5/30/2019 12:59 PM, 678280 bytes, A Adds the file FileValidator.exe"="5/30/2019 12:59 PM, 267264 bytes, A Adds the folder C:\Program Files\Advanced Driver Booster\Langs Adds the file danish_du_da.ini"="5/30/2019 4:19 PM, 56200 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced Driver Booster Adds the file Advanced Driver Booster.lnk"="6/4/2019 9:17 AM, 904 bytes, A Adds the file Buy Advanced Driver Booster.lnk"="6/4/2019 9:17 AM, 924 bytes, A Adds the file Uninstall Advanced Driver Booster.lnk"="6/4/2019 9:17 AM, 951 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming Adds the file acc.txt"="6/4/2019 9:17 AM, 2 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\advancepctools.net\Advanced Driver Booster Adds the file common_desktop.gif"="6/4/2019 9:17 AM, 16987 bytes, A Adds the file common_desktop_backup.gif"="6/4/2019 9:17 AM, 16987 bytes, A Adds the file common_desktop_install.gif"="6/4/2019 9:17 AM, 16987 bytes, A Adds the file common_desktop_restore.gif"="6/4/2019 9:17 AM, 16987 bytes, A Adds the file Errorlog.txt"="6/4/2019 9:18 AM, 114972 bytes, A Adds the file notifier.xml"="6/4/2019 9:17 AM, 1319 bytes, A Adds the file res.bin"="6/4/2019 9:18 AM, 35688 bytes, A Adds the file update.xml"="6/4/2019 9:17 AM, 2894 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\advancepctools.net\Advanced Driver Booster\Backups Adds the folder C:\Users\{username}\AppData\Roaming\advancepctools.net\Advanced Driver Booster\Download Adds the folder C:\Users\{username}\AppData\Roaming\advancepctools.net\Advanced Driver Booster\icon Adds the file 091846.ico"="6/4/2019 9:18 AM, 69127 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\advancepctools.net\Advanced Driver Booster\smico In the existing folder C:\Users\Public\Desktop Adds the file Advanced Driver Booster.lnk"="6/4/2019 9:18 AM, 1933 bytes, A In the existing folder C:\Windows\Fonts Adds the file advdrvbstr.ttf"="5/30/2019 2:55 PM, 27636 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Advanced Driver Booster_Logon"="6/4/2019 9:17 AM, 3054 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\adb-pr] "affiliateid"="REG_SZ", "" "country"="REG_SZ", "" "LangCode"="REG_SZ", "en" "phone"="REG_SZ", "" "pxl"="REG_SZ", "" "utm_campaign"="REG_SZ", "default" "utm_medium"="REG_SZ", "site" "utm_pubid"="REG_SZ", "" "utm_source"="REG_SZ", "pdu" "x-base"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\advanceddriverbooster.com\Advanced Driver Booster] "affiliateid"="REG_SZ", "" "affired"="REG_DWORD", 0 "afterInstallUrl"="REG_SZ", "http://ins.advanceddriverbooster.com/install/adb/?" "bdInst"="REG_DWORD", 0 "country"="REG_SZ", "" "delay"="REG_DWORD", 0 "EmailURL"="REG_SZ", "support@syscarehelp.com" "Installstring"="REG_SZ", "C:\Program Files\Advanced Driver Booster" "issilent"="REG_DWORD", 0 "ISTELNO"="REG_DWORD", 1 "LangCode"="REG_SZ", "en" "prereg"="REG_DWORD", 0 "PurchaseURL"="REG_SZ", "http://store.advanceddriverbooster.com/adb/price?" "pxl"="REG_SZ", "" "RenewURL"="REG_SZ", "http://store.advanceddriverbooster.com/adb/renew?" "ScanAfterInstall"="REG_DWORD", 1 "showtn"="REG_DWORD", 0 "showunins"="REG_DWORD", 1 "supporturl"="REG_SZ", "http://www.advanceddriverbooster.com/help/" "TELNO"="REG_SZ", "(855)-332-0124" "TELNO_ar"="REG_SZ", "+54-2644662260" "TELNO_at"="REG_SZ", "+43-720778901" "TELNO_au"="REG_SZ", "1800-832-113" "TELNO_be"="REG_SZ", "+32-28085306" "TELNO_br"="REG_SZ", "+55-1143496208" "TELNO_ch"="REG_SZ", "+41-315282466" "TELNO_de"="REG_SZ", "0800 1830 543" "TELNO_dk"="REG_SZ", "+45-78791126" "TELNO_es"="REG_SZ", "+34-911433466" "TELNO_fi"="REG_SZ", "+358 (0)9 4270 4911" "TELNO_fr"="REG_SZ", "05 82 84 04 06" "TELNO_gb"="REG_SZ", "0800-031-5066" "TELNO_it"="REG_SZ", "+39 069 4802886" "TELNO_ja"="REG_SZ", "0120-974-935" "TELNO_jp"="REG_SZ", "0120-974-935" "TELNO_lu"="REG_SZ", "0699 4189 283" "TELNO_nl"="REG_SZ", "+31-202254458" "TELNO_no"="REG_SZ", "+47-21966190" "TELNO_pt"="REG_SZ", "+351-308803766" "TELNO_se"="REG_SZ", "+46-844682660" "TELNO_uk"="REG_SZ", "0800-031-5332" "TELNO_us"="REG_SZ", "833-423-6820" "utm_campaign"="REG_SZ", "default" "utm_medium"="REG_SZ", "site" "utm_pubid"="REG_SZ", "" "utm_source"="REG_SZ", "pdu" "WebURL"="REG_SZ", "http://www.advanceddriverbooster.com/" "x-base"="REG_SZ", "" "x-fetch"="REG_SZ", "0" [HKEY_LOCAL_MACHINE\SOFTWARE\advancepctools.net\Advanced Driver Booster] "country"="REG_SZ", "" "devicesscanned"="REG_DWORD", 56 "expired"="REG_DWORD", 0 "hdata"="REG_BINARY, ........................................................................................................................ "ignoreddrivercount"="REG_DWORD", 0 "ISTELNO"="REG_DWORD", 0 "lastscandate"="REG_SZ", "6/4/2019 7:18:45 AM" "lastscanstatus"="REG_DWORD", 2 "lastupdatedate"="REG_SZ", "1/1/0001 12:00:00 AM" "oldmissingdrivercount"="REG_DWORD", 6 "reg"="REG_DWORD", 0 "rescan"="REG_DWORD", 0 "TELNO"="REG_SZ", "" "uptodatedrivercount"="REG_DWORD", 50 "vendorLogo"="REG_SZ", "common_logo.png" "vendorMachineAvi"="REG_SZ", "C:\Users\{username}\AppData\Roaming\advancepctools.net\Advanced Driver Booster\common_desktop.gif" "vendorMachineAviBkp"="REG_SZ", "C:\Users\{username}\AppData\Roaming\advancepctools.net\Advanced Driver Booster\common_desktop_backup.gif" "vendorMachineAviInstall"="REG_SZ", "C:\Users\{username}\AppData\Roaming\advancepctools.net\Advanced Driver Booster\common_desktop_install.gif" "vendorMachineAviRestore"="REG_SZ", "C:\Users\{username}\AppData\Roaming\advancepctools.net\Advanced Driver Booster\common_desktop_restore.gif" "verboseLog"="REG_DWORD", 1 "x-ccode"="REG_SZ", "nl" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3F742BD4-59D0-467A-B2EB-A9984FB1E969}_is1] "DisplayIcon"="REG_SZ", "C:\Program Files\Advanced Driver Booster\adb.exe" "DisplayName"="REG_SZ", "Advanced Driver Booster" "DisplayVersion"="REG_SZ", "1.0.0.0" "EstimatedSize"="REG_DWORD", 20310 "HelpLink"="REG_SZ", "http://www.advanceddriverbooster.com/help/" "Inno Setup: App Path"="REG_SZ", "C:\Program Files\Advanced Driver Booster" "Inno Setup: Icon Group"="REG_SZ", "Advanced Driver Booster" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.9 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20190604" "InstallLocation"="REG_SZ", "C:\Program Files\Advanced Driver Booster\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "advanceddriverbooster.com" "QuietUninstallString"="REG_SZ", ""C:\Program Files\Advanced Driver Booster\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files\Advanced Driver Booster\unins000.exe" /SILENT" "URLInfoAbout"="REG_SZ", "http://www.advanceddriverbooster.com/" "VersionMajor"="REG_DWORD", 1 "VersionMinor"="REG_DWORD", 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts] "adbdrvbstr (TrueType)"="REG_SZ", "advdrvbstr.ttf" [HKEY_LOCAL_MACHINE\SOFTWARE\YWR2YW5jZXBjdG9vbHMubmV0\QWR2YW5jZWQgRHJpdmVyIEJvb3N0ZXI=\ACT] "data"="REG_BINARY, ........................................................................................ [HKEY_CURRENT_USER\Software\advanceddriverbooster.com\Advanced Driver Booster] "affiliateid"="REG_SZ", "" "Installstring"="REG_SZ", "C:\Program Files\Advanced Driver Booster" "LangCode"="REG_SZ", "en" "pxl"="REG_SZ", "" "utm_campaign"="REG_SZ", "default" "utm_medium"="REG_SZ", "site" "utm_pubid"="REG_SZ", "" "utm_source"="REG_SZ", "pdu" "x-base"="REG_SZ", "" [HKEY_CURRENT_USER\Software\advanceddriverbooster.com\Advanced Driver Booster\1.0.0.0] [HKEY_CURRENT_USER\Software\advancepctools.net\Advanced Driver Booster] Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/4/19 Scan Time: 9:33 AM Log File: 0395f7bc-869b-11e9-aebe-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.586 Update Package Version: 1.0.10892 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236387 Threats Detected: 93 Threats Quarantined: 93 Time Elapsed: 7 min, 52 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\adb.exe, Quarantined, [464], [690247],1.0.10892 Module: 3 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\adb.exe, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\Interop.IWshRuntimeLibrary.dll, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\Microsoft.Win32.TaskScheduler.dll, Quarantined, [464], [690247],1.0.10892 Registry Key: 10 PUP.Optional.PCVARK, HKCU\SOFTWARE\advanceddriverbooster.com, Quarantined, [464], [690249],1.0.10892 PUP.Optional.PCVARK, HKCU\SOFTWARE\ADVANCEPCTOOLS.NET\Advanced Driver Booster, Quarantined, [464], [690259],1.0.10892 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{FF22EF59-CE35-437A-B604-09DB10B8AD24}, Quarantined, [464], [690400],1.0.10892 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Advanced Driver Booster_Logon, Quarantined, [464], [690398],1.0.10892 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{FF22EF59-CE35-437A-B604-09DB10B8AD24}, Quarantined, [464], [690398],1.0.10892 PUP.Optional.PCVARK, HKLM\SOFTWARE\advanceddriverbooster.com, Quarantined, [464], [690250],1.0.10892 PUP.Optional.PCVARK, HKLM\SOFTWARE\YWR2YW5jZXBjdG9vbHMubmV0, Quarantined, [464], [556573],1.0.10892 PUP.Optional.PCVARK, HKLM\SOFTWARE\ADB-PR, Quarantined, [464], [690397],1.0.10892 PUP.Optional.PCVARK, HKLM\SOFTWARE\ADVANCEPCTOOLS.NET\Advanced Driver Booster, Quarantined, [464], [690252],1.0.10892 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{3F742BD4-59D0-467A-B2EB-A9984FB1E969}_is1, Quarantined, [464], [690247],1.0.10892 Registry Value: 2 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{FF22EF59-CE35-437A-B604-09DB10B8AD24}|PATH, Quarantined, [464], [690400],1.0.10892 PUP.Optional.PCVARK, HKLM\SOFTWARE\ADB-PR|AFFILIATEID, Quarantined, [464], [690397],1.0.10892 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 10 PUP.Optional.AdvanceSystemCare, C:\Users\{username}\AppData\Roaming\advancepctools.net\Advanced Driver Booster\Download, Quarantined, [824], [508932],1.0.10892 PUP.Optional.AdvanceSystemCare, C:\Users\{username}\AppData\Roaming\advancepctools.net\Advanced Driver Booster\Backups, Quarantined, [824], [508932],1.0.10892 PUP.Optional.AdvanceSystemCare, C:\Users\{username}\AppData\Roaming\advancepctools.net\Advanced Driver Booster\smico, Quarantined, [824], [508932],1.0.10892 PUP.Optional.AdvanceSystemCare, C:\Users\{username}\AppData\Roaming\advancepctools.net\Advanced Driver Booster\icon, Quarantined, [824], [508932],1.0.10892 PUP.Optional.AdvanceSystemCare, C:\Users\{username}\AppData\Roaming\advancepctools.net\Advanced Driver Booster, Quarantined, [824], [508932],1.0.10892 PUP.Optional.AdvanceSystemCare, C:\USERS\{username}\APPDATA\ROAMING\ADVANCEPCTOOLS.NET, Quarantined, [824], [508932],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\Langs, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\dp, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\PROGRAM FILES\ADVANCED DRIVER BOOSTER, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ADVANCED DRIVER BOOSTER, Quarantined, [464], [690248],1.0.10892 File: 67 PUP.Optional.PCVARK.Generic, C:\USERS\{username}\APPDATA\ROAMING\ACC.TXT, Quarantined, [739], [421587],1.0.10892 PUP.Optional.PCVARK, C:\WINDOWS\FONTS\ADVDRVBSTR.TTF, Quarantined, [464], [690396],1.0.10892 PUP.Optional.PCVARK, C:\WINDOWS\SYSTEM32\TASKS\Advanced Driver Booster_Logon, Quarantined, [464], [690398],1.0.10892 PUP.Optional.AdvanceSystemCare, C:\Users\{username}\AppData\Roaming\advancepctools.net\Advanced Driver Booster\icon\091846.ico, Quarantined, [824], [508932],1.0.10892 PUP.Optional.AdvanceSystemCare, C:\Users\{username}\AppData\Roaming\advancepctools.net\Advanced Driver Booster\common_desktop.gif, Quarantined, [824], [508932],1.0.10892 PUP.Optional.AdvanceSystemCare, C:\Users\{username}\AppData\Roaming\advancepctools.net\Advanced Driver Booster\common_desktop_backup.gif, Quarantined, [824], [508932],1.0.10892 PUP.Optional.AdvanceSystemCare, C:\Users\{username}\AppData\Roaming\advancepctools.net\Advanced Driver Booster\common_desktop_install.gif, Quarantined, [824], [508932],1.0.10892 PUP.Optional.AdvanceSystemCare, C:\Users\{username}\AppData\Roaming\advancepctools.net\Advanced Driver Booster\common_desktop_restore.gif, Quarantined, [824], [508932],1.0.10892 PUP.Optional.AdvanceSystemCare, C:\Users\{username}\AppData\Roaming\advancepctools.net\Advanced Driver Booster\Errorlog.txt, Quarantined, [824], [508932],1.0.10892 PUP.Optional.AdvanceSystemCare, C:\Users\{username}\AppData\Roaming\advancepctools.net\Advanced Driver Booster\notifier.xml, Quarantined, [824], [508932],1.0.10892 PUP.Optional.AdvanceSystemCare, C:\Users\{username}\AppData\Roaming\advancepctools.net\Advanced Driver Booster\res.bin, Quarantined, [824], [508932],1.0.10892 PUP.Optional.AdvanceSystemCare, C:\Users\{username}\AppData\Roaming\advancepctools.net\Advanced Driver Booster\update.xml, Quarantined, [824], [508932],1.0.10892 PUP.Optional.PCVARK, C:\USERS\PUBLIC\DESKTOP\ADVANCED DRIVER BOOSTER.LNK, Quarantined, [464], [690395],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\Langs\danish_du_da.ini, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\Langs\Dutch_du_nl.ini, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\Langs\english_du_en.ini, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\Langs\finish_du_fi.ini, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\Langs\French_du_fr.ini, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\Langs\german_du_de.ini, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\Langs\italian_du_it.ini, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\Langs\japanese_du_ja.ini, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\Langs\norwegian_du_no.ini, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\Langs\portuguese_du_ptbr.ini, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\Langs\russian_du_ru.ini, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\Langs\spanish_du_es.ini, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\Langs\swedish_du_sv.ini, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\dp\7z.dll, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\dp\7z.exe, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\dp\AdvDBPath.exe, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\dp\difxapi.dll, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\dp\difxapi64.dll, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\dp\DPInst32.exe, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\dp\DPInst64.exe, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\dp\FileValidator.exe, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\adb.exe, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\adb.exe.config, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\AdvDBResource.dll, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\Application_icon.png, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\danish_iss.ini, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\Delimon.Win32.IO.dll, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\Dutch_iss.ini, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\english_iss.ini, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\finish_iss.ini, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\French_iss.ini, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\german_iss.ini, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\Interop.IWshRuntimeLibrary.dll, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\italian_iss.ini, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\japanese_iss.ini, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\Microsoft.Win32.TaskScheduler.dll, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\Microsoft.WindowsAPICodePack.dll, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\Microsoft.WindowsAPICodePack.Shell.dll, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\norwegian_iss.ini, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\portuguese_iss.ini, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\russian_iss.ini, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\spanish_iss.ini, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\swedish_iss.ini, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\System.ServiceModel.dll, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\TAFactory.IconPack.dll, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\TaskScheduler.dll, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\unins000.dat, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\unins000.exe, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\Program Files\Advanced Driver Booster\Windows.winmd, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\Advanced Driver Booster.lnk, Quarantined, [464], [690247],1.0.10892 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced Driver Booster\Advanced Driver Booster.lnk, Quarantined, [464], [690248],1.0.10892 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced Driver Booster\Buy Advanced Driver Booster.lnk, Quarantined, [464], [690248],1.0.10892 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced Driver Booster\Uninstall Advanced Driver Booster.lnk, Quarantined, [464], [690248],1.0.10892 PUP.Optional.PCVARK, C:\USERS\{username}\DESKTOP\ADVDRVBOOSTERSETUP.EXE, Quarantined, [464], [690246],1.0.10892 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  12. What is Max Registry Cleaner?The Malwarebytes research team has determined that Max Registry Cleaner is a fake registry cleaner. These so-called "registry cleaners" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with Max Registry Cleaner?This is how the main screen of the registry cleaning application looks:You will find these icons in your taskbar and on your desktop:And see this warning during install:and these screens during "operations":You may see this entry in your list of installed programs:How did Max Registry Cleaner get on my computer?These so-called registry cleaners use different methods of getting installed. This particular one was downloaded from their website.How do I remove Max Registry Cleaner?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Max Registry Cleaner? No, Malwarebytes removes Max Registry Cleaner completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this registry cleaner.As you can see below the full version of Malwarebytes would have protected you against the Max Registry Cleaner installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and it would have blocked access to their website: Technical details for expertsYou may see these entries in FRST logs: (Max Secure Software India Private Ltd. -> Max Secure Software) C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe (Max Secure Software India Private Ltd. -> Max Secure Software) C:\Program Files\Max Registry Cleaner\MaxRegistryCleaner.exe (Max Secure Software India Private Ltd. -> Max Secure Software) C:\Program Files\Max Registry Cleaner\RCVistaService.exe HKLM\...\Run: [RCSystemTray] => C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe [2767128 2019-04-02] (Max Secure Software India Private Ltd. -> Max Secure Software) HKLM\...\Run: [RCAutoLiveUpdate] => C:\Program Files\Max Registry Cleaner\MaxLURC.exe [1713112 2018-07-25] (Max Secure Software India Private Ltd. -> Max Secure Software) R2 RCVistaSvc; C:\Program Files\Max Registry Cleaner\RCVistaService.exe [2313688 2018-07-25] (Max Secure Software India Private Ltd. -> Max Secure Software) C:\Users\Public\Desktop\Max Registry Cleaner.lnk C:\Windows\MaxSecureBackup C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Max Registry Cleaner C:\ProgramData\Max Secure C:\Program Files\Max Registry Cleaner C:\Users\{username}\AppData\Local\Max Secure Software Max Registry Cleaner (HKLM\...\{8D815D9B-4DD9-437E-BFE2-E7374D3E7025}_is1) (Version: 6.0.0.073 - Max Secure Software) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\Max Registry Cleaner Adds the file CheckDll.dll"="7/25/2018 4:00 PM, 829912 bytes, A Adds the file CloseAll.exe"="7/25/2018 4:01 PM, 506328 bytes, A Adds the file ExportMail.htm"="5/2/2013 4:49 PM, 5410 bytes, A Adds the file FileSignature.dll"="7/25/2018 4:02 PM, 674776 bytes, A Adds the file IgnoreKeys.ini"="2/2/2015 3:14 PM, 6125 bytes, A Adds the file IgnorePath.ini"="12/12/2014 2:44 PM, 1130 bytes, A Adds the file MaxLURC.exe"="7/25/2018 4:01 PM, 1713112 bytes, A Adds the file MaxRCPopUp.exe"="7/25/2018 4:01 PM, 1449944 bytes, A Adds the file MaxRCSystemTray.exe"="4/2/2019 4:36 PM, 2767128 bytes, A Adds the file MaxRegistryCleaner.chm"="7/25/2018 4:49 PM, 1135296 bytes, A Adds the file MaxRegistryCleaner.exe"="4/2/2019 3:57 PM, 9435928 bytes, A Adds the file MaxSDResourceDll.dll"="3/30/2019 12:21 PM, 22098200 bytes, A Adds the file MaxTeamVReset.exe"="2/8/2019 11:44 AM, 1802200 bytes, A Adds the file OptimizerDll.dll"="7/25/2018 4:07 PM, 581592 bytes, A Adds the file RC_Tips_EN.txt"="5/2/2013 4:49 PM, 5280 bytes, A Adds the file RC_Tips_GE.txt"="5/2/2013 4:49 PM, 6810 bytes, A Adds the file RCVistaService.exe"="7/25/2018 4:02 PM, 2313688 bytes, A Adds the file RegistryCleaner.ico"="2/24/2015 9:58 AM, 257418 bytes, A Adds the file SendReport.exe"="2/8/2019 11:40 AM, 1249752 bytes, A Adds the file SMTPDll.dll"="2/8/2019 11:40 AM, 808408 bytes, A Adds the file StartUpTipsDll.dll"="2/8/2019 11:40 AM, 411608 bytes, A Adds the file TeamViewerQS.exe"="2/8/2019 11:44 AM, 2868232 bytes, A Adds the file unins000.dat"="6/3/2019 9:11 AM, 15983 bytes, A Adds the file unins000.exe"="6/3/2019 9:10 AM, 986392 bytes, A Adds the file unins000.msg"="6/3/2019 9:11 AM, 11401 bytes, A Adds the file VchReg.dll"="3/30/2019 12:22 PM, 2769176 bytes, A Adds the folder C:\Program Files\Max Registry Cleaner\IgnoreData Adds the file RC1.DB"="5/2/2013 4:49 PM, 151 bytes, A Adds the file RC10.DB"="5/2/2013 4:49 PM, 2 bytes, A Adds the file RC11.DB"="5/2/2013 4:49 PM, 13900 bytes, A Adds the file RC12.DB"="5/2/2013 4:49 PM, 7070 bytes, A Adds the file RC13.DB"="5/2/2013 4:49 PM, 3188 bytes, A Adds the file RC2.DB"="5/2/2013 4:49 PM, 2 bytes, A Adds the file RC4.DB"="5/2/2013 4:49 PM, 236 bytes, A Adds the file RC5.DB"="5/2/2013 4:49 PM, 5189 bytes, A Adds the file RC7.DB"="5/2/2013 4:49 PM, 2780 bytes, A Adds the file RC9.DB"="5/2/2013 4:49 PM, 2 bytes, A Adds the folder C:\Program Files\Max Registry Cleaner\LiveUpdate Adds the folder C:\Program Files\Max Registry Cleaner\Log Adds the file ScanLog.txt"="6/3/2019 9:11 AM, 26272 bytes, A Adds the file VoucherLog.txt"="6/3/2019 9:11 AM, 2116 bytes, A Adds the folder C:\Program Files\Max Registry Cleaner\setting Adds the file CurrentSettings.ini"="6/8/2018 12:04 PM, 2543 bytes, A Adds the file English_Strings.ini"="4/2/2019 4:30 PM, 71208 bytes, A Adds the file Export.ini"="5/2/2013 4:49 PM, 400 bytes, A Adds the file German_Strings.ini"="4/2/2019 4:31 PM, 74252 bytes, A Adds the file Voucher_English_Strings.ini"="6/12/2018 4:40 PM, 32772 bytes, A Adds the file Voucher_German_Strings.ini"="6/12/2018 4:40 PM, 32772 bytes, A Adds the folder C:\ProgramData\Max Secure\Max Registry Cleaner Adds the file SYSRegC.mxs"="6/3/2019 9:11 AM, 63 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Max Registry Cleaner Adds the file Max Registry Cleaner Help.lnk"="6/3/2019 9:11 AM, 964 bytes, A Adds the file Max Registry Cleaner.lnk"="6/3/2019 9:11 AM, 964 bytes, A Adds the file Uninstall Max Registry Cleaner.lnk"="6/3/2019 9:11 AM, 914 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Max Secure Software\MaxDownloadTemp Adds the file maxdownloader.log"="6/3/2019 9:10 AM, 717 bytes, A In the existing folder C:\Users\{username}\Desktop Adds the file MaxRegistrycleanerx64.exe"="6/3/2019 9:10 AM, 11155736 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file Max Registry Cleaner.lnk"="6/3/2019 9:11 AM, 946 bytes, A Adds the folder C:\Windows\MaxSecureBackup Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE] "RegistrationNo"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Max Registry cleaner] "AppFolder"="REG_SZ", "C:\Program Files\Max Registry Cleaner\" "CheckDaysLeft"="REG_SZ", "6/3/2019" "InstalledProductPath"="REG_SZ", "C:\Users\{username}\Desktop\MaxRegistrycleanerx64.exe" "LastLiveUpdate"="REG_SZ", "3-Jun-2019" "NoOfScans"="REG_DWORD", 0 "ProductVersionNo"="REG_SZ", "6.0.0.073" "PurchaseURL"="REG_SZ", "https://www.bluesnap.com/jsp/buynow.jsp?contractId=2004108" "ScanType"="REG_DWORD", 1 "SetupLaunch"="REG_DWORD", 0 "VendorName"="REG_SZ", "RegistryCleaner" [HKEY_LOCAL_MACHINE\SOFTWARE\Max Registry cleaner\System_settings] "AutomaticLiveUpdate"="REG_DWORD", 1 "ScanWithWindowsStart"="REG_DWORD", 0 "SplashScreen"="REG_DWORD", 1 "StartTips"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RCAutoLiveUpdate"="REG_SZ", "C:\Program Files\Max Registry Cleaner\MaxLURC.exe -AUTO" "RCSystemTray"="REG_SZ", "C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D815D9B-4DD9-437E-BFE2-E7374D3E7025}_is1] "DisplayIcon"="REG_SZ", "C:\Program Files\Max Registry Cleaner\RegistryCleaner.ico" "DisplayName"="REG_SZ", "Max Registry Cleaner" "DisplayVersion"="REG_SZ", "6.0.0.073" "EstimatedSize"="REG_DWORD", 54444 "HelpLink"="REG_SZ", "http://www.maxpcsecure.com/" "Inno Setup: App Path"="REG_SZ", "C:\Program Files\Max Registry Cleaner" "Inno Setup: Deselected Tasks"="REG_SZ", "" "Inno Setup: Icon Group"="REG_SZ", "Max Registry Cleaner" "Inno Setup: Language"="REG_SZ", "english" "Inno Setup: Selected Tasks"="REG_SZ", "desktopicon" "Inno Setup: Setup Version"="REG_SZ", "5.6.1 (a)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20190603" "InstallLocation"="REG_SZ", "C:\Program Files\Max Registry Cleaner\" "MajorVersion"="REG_DWORD", 6 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Max Secure Software" "QuietUninstallString"="REG_SZ", ""C:\Program Files\Max Registry Cleaner\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files\Max Registry Cleaner\unins000.exe"" "URLInfoAbout"="REG_SZ", "http://www.maxpcsecure.com/" "URLUpdateInfo"="REG_SZ", "http://www.maxpcsecure.com/" "VersionMajor"="REG_DWORD", 6 "VersionMinor"="REG_DWORD", 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RCVistaSvc] "DisplayName"="REG_SZ", "RCVistaSvc" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, "C:\Program Files\Max Registry Cleaner\RCVistaService.exe" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 "WOW64"="REG_DWORD", 1 Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/3/19 Scan Time: 9:22 AM Log File: 4d879bda-85d0-11e9-aec1-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.586 Update Package Version: 1.0.10878 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236181 Threats Detected: 77 Threats Quarantined: 77 Time Elapsed: 7 min, 9 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 3 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\MaxRegistryCleaner.exe, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\RCVistaService.exe, Quarantined, [1220], [393095],1.0.10878 Module: 6 PUP.Optional.MaxSecureSoftware, C:\PROGRAM FILES\MAX REGISTRY CLEANER\OPTIMIZERDLL.DLL, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\MaxRegistryCleaner.exe, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\MaxSDResourceDll.dll, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\RCVistaService.exe, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\VchReg.dll, Quarantined, [1220], [393095],1.0.10878 Registry Key: 3 PUP.Optional.MaxSecureSoftware, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\RCVistaSvc, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{8D815D9B-4DD9-437E-BFE2-E7374D3E7025}_is1, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxRegistryCleaner, HKLM\SOFTWARE\Max Registry cleaner, Quarantined, [7134], [393234],1.0.10878 Registry Value: 3 PUP.Optional.MaxSecureSoftware, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|RCAutoLiveUpdate, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|RCSystemTray, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\RCVISTASVC|IMAGEPATH, Quarantined, [1220], [393080],1.0.10878 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 9 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\IgnoreData, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\LiveUpdate, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\setting, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\Log, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\PROGRAM FILES\MAX REGISTRY CLEANER, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Users\{username}\AppData\Local\Max Secure Software\MaxDownloadTemp, Quarantined, [1220], [393078],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\USERS\{username}\APPDATA\LOCAL\MAX SECURE SOFTWARE, Quarantined, [1220], [393078],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MAX REGISTRY CLEANER, Quarantined, [1220], [393091],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\PROGRAMDATA\MAX SECURE\MAX REGISTRY CLEANER, Quarantined, [1220], [393094],1.0.10878 File: 53 PUP.Optional.MaxSecureSoftware, C:\PROGRAM FILES\MAX REGISTRY CLEANER\OPTIMIZERDLL.DLL, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\IgnoreData\RC1.DB, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\IgnoreData\RC10.DB, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\IgnoreData\RC11.DB, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\IgnoreData\RC12.DB, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\IgnoreData\RC13.DB, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\IgnoreData\RC2.DB, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\IgnoreData\RC4.DB, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\IgnoreData\RC5.DB, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\IgnoreData\RC7.DB, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\IgnoreData\RC9.DB, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\Log\ScanLog.txt, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\Log\VoucherLog.txt, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\setting\CurrentSettings.ini, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\setting\English_Strings.ini, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\setting\Export.ini, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\setting\German_Strings.ini, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\setting\Voucher_English_Strings.ini, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\setting\Voucher_German_Strings.ini, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\MaxRegistryCleaner.chm, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\CheckDll.dll, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\CloseAll.exe, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\ExportMail.htm, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\FileSignature.dll, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\IgnoreKeys.ini, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\IgnorePath.ini, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\MaxLURC.exe, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\MaxRCPopUp.exe, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\MaxRegistryCleaner.exe, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\MaxSDResourceDll.dll, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\MaxTeamVReset.exe, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\RCVistaService.exe, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\RC_Tips_EN.txt, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\RC_Tips_GE.txt, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\RegistryCleaner.ico, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\SendReport.exe, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\SMTPDll.dll, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\StartUpTipsDll.dll, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\TeamViewerQS.exe, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\unins000.dat, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\unins000.exe, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\unins000.msg, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Program Files\Max Registry Cleaner\VchReg.dll, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\Max Registry Cleaner.lnk, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\USERS\PUBLIC\Desktop\Max Registry Cleaner.lnk, Quarantined, [1220], [393095],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\USERS\{username}\DESKTOP\MAXREGISTRYCLEANERX64.EXE, Quarantined, [1220], [393088],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\Users\{username}\AppData\Local\Max Secure Software\MaxDownloadTemp\maxdownloader.log, Quarantined, [1220], [393078],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Max Registry Cleaner\Max Registry Cleaner Help.lnk, Quarantined, [1220], [393091],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Max Registry Cleaner\Max Registry Cleaner.lnk, Quarantined, [1220], [393091],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Max Registry Cleaner\Uninstall Max Registry Cleaner.lnk, Quarantined, [1220], [393091],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\ProgramData\Max Secure\Max Registry Cleaner\SYSRegC.mxs, Quarantined, [1220], [393094],1.0.10878 PUP.Optional.MaxSecureSoftware, C:\USERS\{username}\DESKTOP\MAXRCDM.EXE, Quarantined, [1220], [690737],1.0.10878 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  13. What is mBytes Speedup Pro?The Malwarebytes research team has determined that mBytes Speedup Pro is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog. This one also is a bundler.How do I know if I am infected with mBytes Speedup Pro?This is how the main screen of the system optimizer looks:and see these warnings during install:and these screens during "operations":You may see this entry in your list of installed programs:and this task in your list of Scheduled Tasks:How did mBytes Speedup Pro get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove mBytes Speedup Pro?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of mBytes Speedup Pro? No, Malwarebytes removes mBytes Speedup Pro completely. This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the mBytes Speedup Pro installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for expertsYou may see these entries in FRST logs: (SOFTBITS PC LOGICS -> ) C:\Program Files\mBytes Speedup Pro for {computername}\rtc.exe Task: {4B0FA35A-2E74-420B-9925-C0548A302A87} - System32\Tasks\mBytes Speedup Pro_Logon => C:\Program Files\mBytes Speedup Pro for {computername}\rtc.exe [2302144 2019-05-29] (SOFTBITS PC LOGICS -> ) C:\Users\{username}\AppData\Roaming\mBytes Speedup Pro For {computername} C:\ProgramData\mBytes Speedup Pro for {computername} C:\Windows\System32\Tasks\mBytes Speedup Pro_Logon C:\Users\Public\Desktop\mBytes Speedup Pro.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\mBytes Speedup Pro for {computername} C:\Program Files\mBytes Speedup Pro for {computername} ( ) C:\Users\{username}\Desktop\mbspsetup.exe mBytes Speedup Pro (HKLM\...\{E353BB03-55C2-4570-AE8F-71E584519BE8}_is1) (Version: 1.0.0.0 - ) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\mBytes Speedup Pro for {computername} Adds the file application.ico"="4/24/2019 10:50 AM, 56150 bytes, A Adds the file HtmlRenderer.dll"="5/29/2019 7:16 PM, 235200 bytes, A Adds the file HtmlRenderer.WinForms.dll"="5/29/2019 7:16 PM, 73920 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="5/29/2019 7:16 PM, 62656 bytes, A Adds the file Interop.SHDocVw.dll"="5/29/2019 7:16 PM, 177344 bytes, A Adds the file langs.db"="11/10/2018 3:17 PM, 477184 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="5/29/2019 7:16 PM, 184512 bytes, A Adds the file NAudio.dll"="5/29/2019 7:16 PM, 484544 bytes, A Adds the file Newtonsoft.Json.dll"="5/29/2019 7:16 PM, 474304 bytes, A Adds the file norwegian_iss.ini"="5/16/2018 11:25 AM, 2358 bytes, A Adds the file pimg.dll"="5/29/2019 7:16 PM, 1846976 bytes, A Adds the file portuguese_iss.ini"="5/16/2018 11:25 AM, 2424 bytes, A Adds the file rtc.exe"="5/29/2019 7:16 PM, 2302144 bytes, A Adds the file rtc.exe.config"="5/29/2019 7:15 PM, 6500 bytes, A Adds the file System.Data.SQLite.DLL"="5/29/2019 7:16 PM, 304320 bytes, A Adds the file TAFactory.IconPack.dll"="5/29/2019 7:16 PM, 50368 bytes, A Adds the file unins000.dat"="5/31/2019 9:17 AM, 84803 bytes, A Adds the file unins000.exe"="5/31/2019 9:16 AM, 1242304 bytes, A Adds the file unins000.msg"="5/31/2019 9:17 AM, 22701 bytes, A Adds the folder C:\Program Files\mBytes Speedup Pro for {computername}\x64 Adds the file SQLite.Interop.dll"="5/29/2019 7:16 PM, 1189056 bytes, A Adds the folder C:\Program Files\mBytes Speedup Pro for {computername}\x86 Adds the file SQLite.Interop.dll"="5/29/2019 7:16 PM, 868032 bytes, A Adds the folder C:\ProgramData\mBytes Speedup Pro for {computername} Adds the file mdb.db"="10/26/2018 10:37 AM, 6643712 bytes, A Adds the file pcspstartrepair_en.mp3"="5/16/2018 11:25 AM, 130973 bytes, A Adds the folder C:\ProgramData\mBytes Speedup Pro for {computername}\offers Adds the file a_p_t.exe"="5/31/2019 9:21 AM, 832040 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\mBytes Speedup Pro for {computername} Adds the file Buy mBytes Speedup Pro.lnk"="5/31/2019 9:17 AM, 1000 bytes, A Adds the file mBytes Speedup Pro.lnk"="5/31/2019 9:17 AM, 988 bytes, A Adds the file Uninstall mBytes Speedup Pro.lnk"="5/31/2019 9:17 AM, 1019 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\mBytes Speedup Pro For {computername} Adds the file a_p_t_2.xml"="5/31/2019 9:21 AM, 1206 bytes, A Adds the file Errorlog.txt"="5/31/2019 9:22 AM, 21138 bytes, A Adds the file exlist.bin"="5/31/2019 9:17 AM, 258019 bytes, A Adds the file notifier.xml"="5/31/2019 9:18 AM, 13000 bytes, A Adds the file res.xml"="5/31/2019 9:19 AM, 13999 bytes, A Adds the file update.xml"="5/31/2019 9:18 AM, 36038 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\mBytes Speedup Pro For {computername}\smico In the existing folder C:\Users\Public\Desktop Adds the file mBytes Speedup Pro.lnk"="5/31/2019 9:17 AM, 970 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file mBytes Speedup Pro_Logon"="5/31/2019 9:17 AM, 3078 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\bUJ5dGVzIFNwZWVkdXAgUHJv\ACT] "data"="REG_BINARY, .................................................................................... [HKEY_LOCAL_MACHINE\SOFTWARE\mBytes Speedup Pro For {computername}] "affired"="REG_DWORD", 1 "afterInstallUrl"="REG_SZ", "http://ins1.alfactiv.com/install/mbsp/?" "apst"="REG_DWORD", 0 "buybowinapp"="REG_SZ", "http://store.unifysmartutils.club/mbsp/plan?" "cbkpoff"="REG_DWORD", 1 "country"="REG_SZ", "us" "cta"="REG_DWORD", 0 "delaytime"="REG_DWORD", 0 "dlllist"="REG_SZ", "PSMACHINE_64.DLL,MSSPELLCHECKINGFACILITY.DLL" "EmailURL"="REG_SZ", "" "expired"="REG_DWORD", 0 "hdata"="REG_BINARY, .................................................................................... "Installstring"="REG_SZ", "C:\Program Files\mBytes Speedup Pro for {computername}" "ipaddrurl"="REG_SZ", "http://www.alfactiv.com/getip/" "isavst"="REG_DWORD", 0 "ishow_apt"="REG_DWORD", 1 "isiunidu"="REG_DWORD", 0 "isprmjsn"="REG_DWORD", 0 "isshowng"="REG_DWORD", 1 "issilent"="REG_DWORD", 0 "ISTELNO"="REG_DWORD", 1 "LangCode"="REG_SZ", "en" "lstregscancount"="REG_DWORD", 35 "lstscandate"="REG_SZ", "5/31/2019 9:19:15 AM" "lstscanstat"="REG_DWORD", 2 "lstsecscancount"="REG_DWORD", 0 "lsttotalscancount"="REG_DWORD", 35 "ovoffdis"="REG_DWORD", 0 "paramurl"="REG_SZ", "http://trkr.alfactiv.com/ipfiles/" "pdtm"="REG_DWORD", 30 "playsound"="REG_DWORD", 1 "plurl"="REG_SZ", "http://pp.alfactiv.com/ProductPrice.svc/" "prereg"="REG_DWORD", 0 "PurchaseURL"="REG_SZ", "http://store.unifysmartutils.club/mbsp/price?" "reg"="REG_DWORD", 0 "RenewURL"="REG_SZ", "http://store.unifysmartutils.club/mbsp/renewal?" "runcam"="REG_DWORD", 1 "runpixel"="REG_DWORD", 1 "runsrc"="REG_DWORD", 1 "showtn"="REG_DWORD", 0 "showunins"="REG_DWORD", 0 "showwfo"="REG_DWORD", 0 "stdismax"="REG_DWORD", -1 "supporturl"="REG_SZ", "http://www.unifysmartutils.club/help/" "TELNO"="REG_SZ", "833-423-6820" "TELNO_ar"="REG_SZ", "+54 11 5236 0324" "TELNO_at"="REG_SZ", "+43 (0)720 902 309" "TELNO_au"="REG_SZ", "(61)280-733403" "TELNO_be"="REG_SZ", "+32-28085306" "TELNO_br"="REG_SZ", "+55 21 2391 4319" "TELNO_ch"="REG_SZ", "+41 (0)44 508 70 37" "TELNO_de"="REG_SZ", "0800 1822 974" "TELNO_dk"="REG_SZ", "+45 78 73 09 26" "TELNO_es"="REG_SZ", "+34 951 203 537" "TELNO_fi"="REG_SZ", "+358 (0)9 4270 4911" "TELNO_fr"="REG_SZ", "05 82 84 04 06" "TELNO_gb"="REG_SZ", "0800-031-5066" "TELNO_it"="REG_SZ", "+39 069 4802886" "TELNO_ja"="REG_SZ", "" "TELNO_lu"="REG_SZ", "0800 1822 974" "TELNO_nl"="REG_SZ", "+31-08-58882839" "TELNO_no"="REG_SZ", "+47 21 95 01 97" "TELNO_pt"="REG_SZ", "+351 70 750 2094" "TELNO_se"="REG_SZ", "+46-08124-10298" "TELNO_uk"="REG_SZ", "0800-031-5066" "TELNO_us"="REG_SZ", "833-423-6820" "WebURL"="REG_SZ", "http://www.unifysmartutils.club/" "wfoset"="REG_DWORD", 1 "x-ccode"="REG_SZ", "us" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "89_187_178_142" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E353BB03-55C2-4570-AE8F-71E584519BE8}_is1] "DisplayIcon"="REG_SZ", "C:\Program Files\mBytes Speedup Pro for {computername}\rtc.exe" "DisplayName"="REG_SZ", "mBytes Speedup Pro" "DisplayVersion"="REG_SZ", "1.0.0.0" "EstimatedSize"="REG_DWORD", 18250 "Inno Setup: App Path"="REG_SZ", "C:\Program Files\mBytes Speedup Pro for {computername}" "Inno Setup: Icon Group"="REG_SZ", "mBytes Speedup Pro for {computername}" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.8 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20190531" "InstallLocation"="REG_SZ", "C:\Program Files\mBytes Speedup Pro for {computername}\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "QuietUninstallString"="REG_SZ", ""C:\Program Files\mBytes Speedup Pro for {computername}\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files\mBytes Speedup Pro for {computername}\unins000.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\scd-pr] "affiliateid"="REG_SZ", "" "btnid"="REG_SZ", "" "country"="REG_SZ", "us" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "pxl"="REG_SZ", "" "referUrl"="REG_SZ", "" "TELNO"="REG_SZ", "" "utm_campaign"="REG_SZ", "" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "" "utm_source"="REG_SZ", "" "x-at"="REG_SZ", "" "x-context"="REG_SZ", "" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_CURRENT_USER\Software\mBytes Speedup Pro For {computername}] "affiliateid"="REG_SZ", "" "InstallString"="REG_SZ", "C:\Program Files\mBytes Speedup Pro for {computername}" "LangCode"="REG_SZ", "en" "TELNO"="REG_SZ", "833-423-6820" "TELNO_us"="REG_SZ", "833-423-6820" "utm_medium"="REG_SZ", "" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "89_187_178_142" [HKEY_CURRENT_USER\Software\mBytes Speedup Pro For {computername}\1.0.0.0] "Installstring"="REG_SZ", "C:\Program Files\mBytes Speedup Pro for {computername}" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 5/31/19 Scan Time: 9:27 AM Log File: 7d05e9f0-8375-11e9-b460-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.586 Update Package Version: 1.0.10846 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236614 Threats Detected: 79 Threats Quarantined: 79 Time Elapsed: 7 min, 44 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\rtc.exe, Quarantined, [463], [689191],1.0.10846 Module: 6 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\x64\SQLite.Interop.dll, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\rtc.exe, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\System.Data.SQLite.DLL, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\TAFactory.IconPack.dll, Quarantined, [463], [689191],1.0.10846 Registry Key: 8 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\mBytes Speedup Pro_Logon, Quarantined, [463], [689188],1.0.10846 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{4B0FA35A-2E74-420B-9925-C0548A302A87}, Quarantined, [463], [689188],1.0.10846 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{4B0FA35A-2E74-420B-9925-C0548A302A87}, Quarantined, [463], [689188],1.0.10846 PUP.Optional.PCVARK, HKCU\SOFTWARE\mBytes Speedup Pro For {computername}, Quarantined, [463], [689648],1.0.10846 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{E353BB03-55C2-4570-AE8F-71E584519BE8}_is1, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, HKLM\SOFTWARE\bUJ5dGVzIFNwZWVkdXAgUHJv, Quarantined, [463], [689211],1.0.10846 PUP.Optional.PCVARK, HKLM\SOFTWARE\mBytes Speedup Pro For {computername}, Quarantined, [463], [689189],1.0.10846 PUP.Optional.PCVARK, HKLM\SOFTWARE\SCD-PR, Quarantined, [463], [540842],1.0.10846 Registry Value: 6 PUP.Optional.PCVARK, HKCU\SOFTWARE\mBytes Speedup Pro For {computername}|AFFILIATEID, Quarantined, [463], [689648],1.0.10846 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{4B0FA35A-2E74-420B-9925-C0548A302A87}|PATH, Quarantined, [463], [689186],1.0.10846 PUP.Optional.PCVARK, HKLM\SOFTWARE\mBytes Speedup Pro For {computername}|AFFIRED, Quarantined, [463], [689189],1.0.10846 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{E353BB03-55C2-4570-AE8F-71E584519BE8}_is1|INSTALLLOCATION, Quarantined, [463], [689196],1.0.10846 PUP.Optional.PCVARK, HKLM\SOFTWARE\SCD-PR|AFFILIATEID, Quarantined, [463], [540842],1.0.10846 PUP.Optional.MasterPCCleaner, HKLM\SOFTWARE\SCD-PR|PXL, Quarantined, [1219], [484510],1.0.10846 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 8 PUP.Optional.PCVARK, C:\ProgramData\mBytes Speedup Pro for {computername}\offers, Quarantined, [463], [689193],1.0.10846 PUP.Optional.PCVARK, C:\PROGRAMDATA\mBytes Speedup Pro for {computername}, Quarantined, [463], [689193],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\x64, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\x86, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\PROGRAM FILES\mBytes Speedup Pro for {computername}, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\mBytes Speedup Pro for {computername}, Quarantined, [463], [689192],1.0.10846 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\mBytes Speedup Pro For {computername}\smico, Quarantined, [463], [689194],1.0.10846 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\mBytes Speedup Pro For {computername}, Quarantined, [463], [689194],1.0.10846 File: 50 PUP.Optional.PCVARK, C:\WINDOWS\SYSTEM32\TASKS\mBytes Speedup Pro_Logon, Quarantined, [463], [689188],1.0.10846 PUP.Optional.PCVARK, C:\USERS\PUBLIC\DESKTOP\mBytes Speedup Pro.lnk, Quarantined, [463], [689224],1.0.10846 PUP.Optional.PCVARK, C:\PROGRAMDATA\mBytes Speedup Pro for {computername}\mdb.db, Quarantined, [463], [689193],1.0.10846 PUP.Optional.PCVARK, C:\ProgramData\mBytes Speedup Pro for {computername}\offers\a_p_t.exe, Quarantined, [463], [689193],1.0.10846 PUP.Optional.PCVARK, C:\ProgramData\mBytes Speedup Pro for {computername}\pcspstartrepair_en.mp3, Quarantined, [463], [689193],1.0.10846 PUP.Optional.PCVARK, C:\PROGRAM FILES\mBytes Speedup Pro for {computername}\unins000.dat, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\x64\SQLite.Interop.dll, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\x86\SQLite.Interop.dll, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\langs.db, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\application.ico, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\danish_iss.ini, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\Dutch_iss.ini, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\english_iss.ini, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\finish_iss.ini, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\French_iss.ini, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\german_iss.ini, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\HtmlRenderer.dll, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\HtmlRenderer.WinForms.dll, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\Interop.SHDocVw.dll, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\italian_iss.ini, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\japanese_iss.ini, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\NAudio.dll, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\Newtonsoft.Json.dll, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\norwegian_iss.ini, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\pimg.dll, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\portuguese_iss.ini, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\rtc.exe, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\rtc.exe.config, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\russian_iss.ini, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\spanish_iss.ini, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\swedish_iss.ini, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\System.Data.SQLite.DLL, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\TAFactory.IconPack.dll, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\unins000.exe, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\Program Files\mBytes Speedup Pro for {computername}\unins000.msg, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\mBytes Speedup Pro.lnk, Quarantined, [463], [689191],1.0.10846 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\mBytes Speedup Pro for {computername}\Buy mBytes Speedup Pro.lnk, Quarantined, [463], [689192],1.0.10846 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\mBytes Speedup Pro for {computername}\mBytes Speedup Pro.lnk, Quarantined, [463], [689192],1.0.10846 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\mBytes Speedup Pro for {computername}\Uninstall mBytes Speedup Pro.lnk, Quarantined, [463], [689192],1.0.10846 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\mBytes Speedup Pro For {computername}\Errorlog.txt, Quarantined, [463], [689194],1.0.10846 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\mBytes Speedup Pro For {computername}\a_p_t_2.xml, Quarantined, [463], [689194],1.0.10846 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\mBytes Speedup Pro For {computername}\exlist.bin, Quarantined, [463], [689194],1.0.10846 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\mBytes Speedup Pro For {computername}\notifier.xml, Quarantined, [463], [689194],1.0.10846 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\mBytes Speedup Pro For {computername}\res.xml, Quarantined, [463], [689194],1.0.10846 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\mBytes Speedup Pro For {computername}\update.xml, Quarantined, [463], [689194],1.0.10846 PUP.Optional.PCVARK, C:\PROGRAMDATA\MBYTES SPEEDUP PRO FOR {computername}\OFFERS\A_P_T.EXE, Quarantined, [463], [583068],1.0.10846 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\LOCAL\TEMP\_IU14D2N.TMP, Quarantined, [463], [583068],1.0.10846 PUP.Optional.PCVARK, C:\USERS\{username}\DESKTOP\MBSPSETUP.EXE, Quarantined, [463], [689325],1.0.10846 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  14. What is Incognito Private Shield?The Malwarebytes research team has determined that Incognito Private Shield is a "privacy optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.This particular one has beenHow do I know if I am infected with Incognito Private Shield?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see this warning during install:and these screens during "operations":You may see this entry in your list of installed programs:and these tasks in your list of Scheduled Tasks:How did Incognito Private Shield get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website.How do I remove Incognito Private Shield?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Incognito Private Shield? No, Malwarebytes removes Incognito Private Shield completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the Incognito Private Shield installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: (Uniwebsal SRL -> Incognito Private Shield) C:\Program Files (x86)\Incognito Private Shield\IncognitoPrivateShield.exe HKCU\...\Run: [IncognitoPrivateShield] => C:\Program Files (x86)\Incognito Private Shield\IncognitoPrivateShield.exe [6334872 2016-09-27] (Uniwebsal SRL -> Incognito Private Shield) Task: {3ECBB255-7114-4104-8164-3D69C2EBC0A8} - System32\Tasks\IncognitoPrivateShield_Popup3 => C:\Program Files (x86)\Incognito Private Shield\IncognitoPrivateShield.exe [6334872 2016-09-27] (Uniwebsal SRL -> Incognito Private Shield) Task: {E5EBC09E-8C16-4CAC-9E4C-3646236593EF} - System32\Tasks\IncognitoPrivateShield_Master => C:\Program Files (x86)\Incognito Private Shield\InstAct.exe [35736 2016-09-27] (Uniwebsal SRL -> ) Task: {EC79EE5D-2331-4A67-A988-B3C1E4673DB0} - System32\Tasks\IncognitoPrivateShield_Popup => C:\Program Files (x86)\Incognito Private Shield\IncognitoPrivateShield.exe [6334872 2016-09-27] (Uniwebsal SRL -> Incognito Private Shield) C:\Windows\System32\Tasks\IncognitoPrivateShield_Popup3 C:\Users\{username}\AppData\Local\IncognitoPrivateShield C:\Windows\System32\Tasks\IncognitoPrivateShield_Popup C:\Windows\System32\Tasks\IncognitoPrivateShield_Master C:\Users\{username}\Desktop\Incognito Private Shield.lnk C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Incognito Private Shield C:\Program Files (x86)\Incognito Private Shield (Incognito Private Shield) C:\Users\{username}\Desktop\IncognitoPrivateShieldSetup.exe Incognito Private Shield (HKLM-x32\...\Incognito Private Shield) (Version: 3.2.0 - Incognito Private Shield) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\Incognito Private Shield Adds the file Esent.Interop.dll"="8/29/2016 6:17 PM, 326656 bytes, A Adds the file IncognitoPrivateShield.exe"="9/27/2016 5:28 PM, 6334872 bytes, A Adds the file IncognitoPrivateShield.exe.config"="8/29/2016 6:17 PM, 231 bytes, A Adds the file IncognitoPrivateShield.vshost.exe"="9/27/2016 5:21 PM, 21656 bytes, A Adds the file IncognitoPrivateShield.vshost.exe.config"="8/29/2016 6:17 PM, 231 bytes, A Adds the file IncognitoPrivateShield.vshost.exe.manifest"="8/29/2016 6:17 PM, 3219 bytes, A Adds the file InstAct.exe"="9/27/2016 5:29 PM, 35736 bytes, A Adds the file InstAct.exe.config"="8/29/2016 6:17 PM, 232 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="8/29/2016 6:17 PM, 322560 bytes, A Adds the file Newtonsoft.Json.dll"="8/29/2016 6:17 PM, 494080 bytes, A Adds the file PrivacyEngine.dll"="9/27/2016 5:19 PM, 125952 bytes, A Adds the file PrivacyEngine.dll.config"="8/29/2016 6:17 PM, 229 bytes, A Adds the file schedc.exe"="9/27/2016 5:28 PM, 30104 bytes, A Adds the file schedc.exe.config"="8/29/2016 6:17 PM, 232 bytes, A Adds the file schedc10.exe"="9/27/2016 5:29 PM, 32664 bytes, A Adds the file schedc10.exe.config"="8/29/2016 6:17 PM, 232 bytes, A Adds the file Setup.dll"="9/27/2016 5:19 PM, 64000 bytes, A Adds the file Setup.dll.config"="8/29/2016 6:17 PM, 229 bytes, A Adds the file System.Data.SQLite.dll"="8/29/2016 6:17 PM, 1175552 bytes, A Adds the file TaskTools.exe"="9/27/2016 5:29 PM, 61848 bytes, A Adds the file TaskTools.exe.config"="8/29/2016 6:17 PM, 231 bytes, A Adds the file uninstall.exe"="9/27/2016 5:29 PM, 207592 bytes, A Adds the file updater.exe"="9/27/2016 5:28 PM, 460696 bytes, A Adds the file updater.ini"="5/29/2019 10:38 AM, 470 bytes, A Adds the file Util.dll"="9/27/2016 5:19 PM, 233984 bytes, A Adds the folder C:\Program Files (x86)\Incognito Private Shield\ar Adds the file IncognitoPrivateShield.resources.dll"="9/27/2016 5:20 PM, 37376 bytes, A Adds the folder C:\Users\{username}\AppData\Local\IncognitoPrivateShield Adds the file chcookies.txt"="5/29/2019 10:38 AM, 24072 bytes, A Adds the file cla"="5/29/2019 10:38 AM, 0 bytes, A Adds the file debug.log"="5/29/2019 10:38 AM, 918 bytes, A Adds the file ffcookies.txt"="5/29/2019 10:38 AM, 26120 bytes, A Adds the file iecookies.txt"="5/29/2019 10:38 AM, 1884 bytes, A Adds the file IncognitoPrivateShield.settings"="5/29/2019 10:39 AM, 1800 bytes, A Adds the file log.rtf"="5/29/2019 10:38 AM, 1317 bytes, A Adds the file lsttick"="5/29/2019 10:38 AM, 8 bytes, A Adds the file report.txt"="5/29/2019 10:39 AM, 92 bytes, A Adds the file wndstate.tmp"="5/29/2019 10:38 AM, 5 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Incognito Private Shield Adds the file Incognito Private Shield.lnk"="5/29/2019 10:38 AM, 1225 bytes, A Adds the file Uninstall Incognito Private Shield.lnk"="5/29/2019 10:38 AM, 942 bytes, A In the existing folder C:\Users\{username}\Desktop Adds the file Incognito Private Shield.lnk"="5/29/2019 10:38 AM, 1189 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file IncognitoPrivateShield_Master"="5/29/2019 10:38 AM, 3054 bytes, A Adds the file IncognitoPrivateShield_Popup"="5/29/2019 10:38 AM, 3540 bytes, A Adds the file IncognitoPrivateShield_Popup3"="5/29/2019 10:39 AM, 3806 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Incognito Private Shield] " "="REG_SZ", "C:\Program Files (x86)\Incognito Private Shield\IncognitoPrivateShield.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Incognito Private Shield\Incognito Private Shield] "Path"="REG_SZ", "C:\Program Files (x86)\Incognito Private Shield" "Version"="REG_SZ", "3.2.0" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Incognito Private Shield] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\Incognito Private Shield\IncognitoPrivateShield.exe" "DisplayName"="REG_SZ", "Incognito Private Shield" "DisplayVersion"="REG_SZ", "3.2.0" "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Incognito Private Shield" "QuietUninstallString"="REG_SZ", "C:\Program Files (x86)\Incognito Private Shield\uninstall.exe /S" "UninstallString"="REG_SZ", "C:\Program Files (x86)\Incognito Private Shield\uninstall.exe" [HKEY_CURRENT_USER\Software\Incognito Private Shield\Incognito Private Shield] "Custom1"="REG_DWORD", 0 "Custom2"="REG_DWORD", 0 "ResName"="REG_SZ", "Regular" [HKEY_CURRENT_USER\Software\IncognitoPrivateShieldValidity] "Base"="REG_SZ", "Oracle CorporationBase Board0" "Bios"="REG_SZ", "innotek GmbHVirtualBox020061201000000.000000+000VBOX - 1" "Cpu"="REG_SZ", "Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz2808" "Disk"="REG_SZ", "VBOX HARDDISK ATA Device(Standard disk drives)2064909821255" "lang"="REG_SZ", "en" "Reg"="REG_SZ", "EAAAADLDaWWqK06slDFKgs3w5CFiZdrC8agZ8/HIfKXg14MB" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "IncognitoPrivateShield"="REG_SZ", ""C:\Program Files (x86)\Incognito Private Shield\IncognitoPrivateShield.exe" minimized" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 5/29/19 Scan Time: 10:54 AM Log File: 70b296f8-81ef-11e9-8c62-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.586 Update Package Version: 1.0.10812 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236202 Threats Detected: 15 Threats Quarantined: 15 Time Elapsed: 6 min, 32 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 Generic.Malware/Suspicious, C:\PROGRAM FILES (X86)\INCOGNITO PRIVATE SHIELD\INCOGNITOPRIVATESHIELD.EXE, Quarantined, [0], [392686],1.0.10812 Module: 1 Generic.Malware/Suspicious, C:\PROGRAM FILES (X86)\INCOGNITO PRIVATE SHIELD\INCOGNITOPRIVATESHIELD.EXE, Quarantined, [0], [392686],1.0.10812 Registry Key: 6 Generic.Malware/Suspicious, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\IncognitoPrivateShield_Popup, Quarantined, [0], [392686],1.0.10812 Generic.Malware/Suspicious, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{EC79EE5D-2331-4A67-A988-B3C1E4673DB0}, Quarantined, [0], [392686],1.0.10812 Generic.Malware/Suspicious, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{EC79EE5D-2331-4A67-A988-B3C1E4673DB0}, Quarantined, [0], [392686],1.0.10812 Generic.Malware/Suspicious, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\IncognitoPrivateShield_Popup3, Quarantined, [0], [392686],1.0.10812 Generic.Malware/Suspicious, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{3ECBB255-7114-4104-8164-3D69C2EBC0A8}, Quarantined, [0], [392686],1.0.10812 Generic.Malware/Suspicious, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{3ECBB255-7114-4104-8164-3D69C2EBC0A8}, Quarantined, [0], [392686],1.0.10812 Registry Value: 1 Generic.Malware/Suspicious, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|IncognitoPrivateShield, Quarantined, [0], [392686],1.0.10812 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 6 Generic.Malware/Suspicious, C:\WINDOWS\SYSTEM32\TASKS\IncognitoPrivateShield_Popup, Quarantined, [0], [392686],1.0.10812 Generic.Malware/Suspicious, C:\WINDOWS\SYSTEM32\TASKS\IncognitoPrivateShield_Popup3, Quarantined, [0], [392686],1.0.10812 Generic.Malware/Suspicious, C:\USERS\{username}\Desktop\Incognito Private Shield.lnk, Quarantined, [0], [392686],1.0.10812 Generic.Malware/Suspicious, C:\PROGRAM FILES (X86)\INCOGNITO PRIVATE SHIELD\INCOGNITOPRIVATESHIELD.EXE, Quarantined, [0], [392686],1.0.10812 Generic.Malware/Suspicious, C:\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\LOCALCOPY\{379980DC-DA27-49B1-9C77-5B822DD27943}-INCOGNITOPRIVATESHIELDSETUP.EXE, Quarantined, [0], [392686],1.0.10812 Generic.Malware/Suspicious, C:\USERS\{username}\DESKTOP\INCOGNITOPRIVATESHIELDSETUP.EXE, Quarantined, [0], [392686],1.0.10812 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  15. What is mBytes Clean Pro?The Malwarebytes research team has determined that mBytes Clean Pro is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog. This one also is a bundler.How do I know if I am infected with mBytes Clean Pro?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see these warnings during install:You may see this entry in your list of installed programs:and this task in your list of Scheduled Tasks:How did mBytes Clean Pro get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove mBytes Clean Pro?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of mBytes Clean Pro? No, Malwarebytes removes mBytes Clean Pro completely. This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the mBytes Clean Pro installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: (QUICK SPEEDUP TOOLS -> ) C:\Program Files\mBytes Clean Pro for {computername}\rtc.exe Task: {CE170E43-3CAF-4817-847C-50A784D7F079} - System32\Tasks\mBytes Clean Pro_Logon => C:\Program Files\mBytes Clean Pro for {computername}\rtc.exe [2301984 2019-05-24] (QUICK SPEEDUP TOOLS -> ) C:\Users\{username}\AppData\Roaming\mBytes Clean Pro For {computername} C:\ProgramData\mBytes Clean Pro for {computername} C:\Windows\System32\Tasks\mBytes Clean Pro_Logon C:\Users\Public\Desktop\mBytes Clean Pro.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\mBytes Clean Pro for {computername} C:\Program Files\mBytes Clean Pro for {computername} ( ) C:\Users\{username}\Desktop\mbcpsetup.exe mBytes Clean Pro (HKLM\...\{0B188E3B-5910-4F4D-8B28-3AC8EFD54931}_is1) (Version: 1.0.0.0 - ) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\mBytes Clean Pro for {computername} Adds the file application.ico"="4/24/2019 10:50 AM, 56150 bytes, A Adds the file danish_iss.ini"="5/16/2018 11:25 AM, 2402 bytes, A Adds the file HtmlRenderer.dll"="5/24/2019 12:08 PM, 235040 bytes, A Adds the file HtmlRenderer.WinForms.dll"="5/24/2019 12:08 PM, 73760 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="5/24/2019 12:08 PM, 62496 bytes, A Adds the file Interop.SHDocVw.dll"="5/24/2019 12:08 PM, 177184 bytes, A Adds the file langs.db"="11/10/2018 3:17 PM, 477184 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="5/24/2019 12:08 PM, 184352 bytes, A Adds the file NAudio.dll"="5/24/2019 12:08 PM, 484384 bytes, A Adds the file Newtonsoft.Json.dll"="5/24/2019 12:08 PM, 474144 bytes, A Adds the file pimg.dll"="5/24/2019 12:08 PM, 1934880 bytes, A Adds the file rtc.exe"="5/24/2019 12:08 PM, 2301984 bytes, A Adds the file rtc.exe.config"="5/24/2019 12:08 PM, 6383 bytes, A Adds the file System.Data.SQLite.DLL"="5/24/2019 12:08 PM, 304160 bytes, A Adds the file TAFactory.IconPack.dll"="5/24/2019 12:08 PM, 50208 bytes, A Adds the file unins000.dat"="5/28/2019 9:18 AM, 84459 bytes, A Adds the file unins000.exe"="5/28/2019 9:17 AM, 1242144 bytes, A Adds the file unins000.msg"="5/28/2019 9:18 AM, 22701 bytes, A Adds the folder C:\Program Files\mBytes Clean Pro for {computername}\x64 Adds the file SQLite.Interop.dll"="5/24/2019 12:08 PM, 1188896 bytes, A Adds the folder C:\Program Files\mBytes Clean Pro for {computername}\x86 Adds the file SQLite.Interop.dll"="5/24/2019 12:08 PM, 867872 bytes, A Adds the folder C:\ProgramData\mBytes Clean Pro for {computername} Adds the file mdb.db"="10/26/2018 10:37 AM, 6643712 bytes, A Adds the file pcspstartrepair_en.mp3"="5/16/2018 11:25 AM, 130973 bytes, A Adds the folder C:\ProgramData\mBytes Clean Pro for {computername}\offers Adds the file a_p_t.exe"="5/28/2019 9:22 AM, 832040 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\mBytes Clean Pro for {computername} Adds the file Buy mBytes Clean Pro.lnk"="5/28/2019 9:18 AM, 986 bytes, A Adds the file mBytes Clean Pro.lnk"="5/28/2019 9:18 AM, 974 bytes, A Adds the file Uninstall mBytes Clean Pro.lnk"="5/28/2019 9:18 AM, 1005 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\mBytes Clean Pro For {computername} Adds the file a_p_t_2.xml"="5/28/2019 9:22 AM, 1206 bytes, A Adds the file Errorlog.txt"="5/28/2019 9:22 AM, 20996 bytes, A Adds the file exlist.bin"="5/28/2019 9:18 AM, 258015 bytes, A Adds the file notifier.xml"="5/28/2019 9:18 AM, 12994 bytes, A Adds the file res.xml"="5/28/2019 9:20 AM, 13991 bytes, A Adds the file update.xml"="5/28/2019 9:18 AM, 36026 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\mBytes Clean Pro For {computername}\smico In the existing folder C:\Users\Public\Desktop Adds the file mBytes Clean Pro.lnk"="5/28/2019 9:18 AM, 956 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file mBytes Clean Pro_Logon"="5/28/2019 9:18 AM, 3074 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\bUJ5dGVzIENsZWFuIFBybw==\ACT] "data"="REG_BINARY, ........................................................................... [HKEY_LOCAL_MACHINE\SOFTWARE\mBytes Clean Pro For {computername}] "affired"="REG_DWORD", 1 "afterInstallUrl"="REG_SZ", "http://ins.trkinstl.com/install/mbcp/?" "apst"="REG_DWORD", 0 "buybowinapp"="REG_SZ", "http://store.unifypctools.club/mbcp/plan?" "cbkpoff"="REG_DWORD", 1 "country"="REG_SZ", "nl" "cta"="REG_DWORD", 0 "delaytime"="REG_DWORD", 0 "dlllist"="REG_SZ", "PSMACHINE_64.DLL,MSSPELLCHECKINGFACILITY.DLL" "EmailURL"="REG_SZ", "" "expired"="REG_DWORD", 0 "hdata"="REG_BINARY, ............................................................................. "Installstring"="REG_SZ", "C:\Program Files\mBytes Clean Pro for {computername}" "ipaddrurl"="REG_SZ", "http://www.trkinstl.com/getip/" "isavst"="REG_DWORD", 0 "ishow_apt"="REG_DWORD", 1 "isiunidu"="REG_DWORD", 0 "isprmjsn"="REG_DWORD", 1 "isshowng"="REG_DWORD", 1 "issilent"="REG_DWORD", 0 "ISTELNO"="REG_DWORD", 1 "LangCode"="REG_SZ", "en" "lstregscancount"="REG_DWORD", 35 "lstscandate"="REG_SZ", "5/28/2019 9:20:09 AM" "lstscanstat"="REG_DWORD", 2 "lstsecscancount"="REG_DWORD", 0 "lsttotalscancount"="REG_DWORD", 35 "ovoffdis"="REG_DWORD", 0 "paramurl"="REG_SZ", "https://d8l61qux1ke73.cloudfront.net/" "pdtm"="REG_DWORD", 30 "playsound"="REG_DWORD", 1 "plurl"="REG_SZ", "http://pp.trkinstl.com/ProductPrice.svc/" "prereg"="REG_DWORD", 0 "PurchaseURL"="REG_SZ", "http://store.unifypctools.club/mbcp/price?" "reg"="REG_DWORD", 0 "RenewURL"="REG_SZ", "http://store.unifypctools.club/mbcp/renewal?" "runcam"="REG_DWORD", 1 "runpixel"="REG_DWORD", 1 "runsrc"="REG_DWORD", 1 "showtn"="REG_DWORD", 0 "showunins"="REG_DWORD", 0 "showwfo"="REG_DWORD", 0 "stdismax"="REG_DWORD", -1 "supporturl"="REG_SZ", "http://www.unifypctools.club/help/" "TELNO"="REG_SZ", "085 888 7056" "TELNO_ar"="REG_SZ", "+54 11 5236 0324" "TELNO_at"="REG_SZ", "+43 (0)720 902 309" "TELNO_au"="REG_SZ", "(61)280-733403" "TELNO_be"="REG_SZ", "+32-28085306" "TELNO_br"="REG_SZ", "+55 21 2391 4319" "TELNO_ch"="REG_SZ", "+41 (0)44 508 70 37" "TELNO_de"="REG_SZ", "0800 1822 974" "TELNO_dk"="REG_SZ", "+45 78 73 09 26" "TELNO_es"="REG_SZ", "+34 951 203 537" "TELNO_fi"="REG_SZ", "+358 (0)9 4270 4911" "TELNO_fr"="REG_SZ", "05 82 84 04 06" "TELNO_gb"="REG_SZ", "0800-031-5066" "TELNO_it"="REG_SZ", "+39 069 4802886" "TELNO_ja"="REG_SZ", "" "TELNO_lu"="REG_SZ", "0800 1822 974" "TELNO_nl"="REG_SZ", "085 888 7056" "TELNO_no"="REG_SZ", "+47 21 95 01 97" "TELNO_pt"="REG_SZ", "+351 70 750 2094" "TELNO_se"="REG_SZ", "+46-08124-10298" "TELNO_uk"="REG_SZ", "0800-031-5066" "TELNO_us"="REG_SZ", "(855)-332-0124" "WebURL"="REG_SZ", "http://www.unifypctools.club/" "wfoset"="REG_DWORD", 1 "x-ccode"="REG_SZ", "nl" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "185_229_190_152" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0B188E3B-5910-4F4D-8B28-3AC8EFD54931}_is1] "DisplayIcon"="REG_SZ", "C:\Program Files\mBytes Clean Pro for {computername}\rtc.exe" "DisplayName"="REG_SZ", "mBytes Clean Pro" "DisplayVersion"="REG_SZ", "1.0.0.0" "EstimatedSize"="REG_DWORD", 18420 "Inno Setup: App Path"="REG_SZ", "C:\Program Files\mBytes Clean Pro for {computername}" "Inno Setup: Icon Group"="REG_SZ", "mBytes Clean Pro for {computername}" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.8 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20190528" "InstallLocation"="REG_SZ", "C:\Program Files\mBytes Clean Pro for {computername}\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "QuietUninstallString"="REG_SZ", ""C:\Program Files\mBytes Clean Pro for {computername}\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files\mBytes Clean Pro for {computername}\unins000.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\scd-pr] "affiliateid"="REG_SZ", "" "btnid"="REG_SZ", "" "country"="REG_SZ", "nl" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "pxl"="REG_SZ", "" "referUrl"="REG_SZ", "" "TELNO"="REG_SZ", "" "utm_campaign"="REG_SZ", "" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "" "utm_source"="REG_SZ", "" "x-at"="REG_SZ", "" "x-context"="REG_SZ", "" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_CURRENT_USER\Software\mBytes Clean Pro For {computername}] "affiliateid"="REG_SZ", "" "InstallString"="REG_SZ", "C:\Program Files\mBytes Clean Pro for {computername}" "LangCode"="REG_SZ", "en" "TELNO"="REG_SZ", "085 888 7056" "TELNO_nl"="REG_SZ", "085 888 7056" "utm_medium"="REG_SZ", "" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "185_229_190_152" [HKEY_CURRENT_USER\Software\mBytes Clean Pro For {computername}\1.0.0.0] "Installstring"="REG_SZ", "C:\Program Files\mBytes Clean Pro for {computername}" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 5/28/19 Scan Time: 9:29 AM Log File: 5f00bf3c-811a-11e9-b445-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.586 Update Package Version: 1.0.10794 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236444 Threats Detected: 77 Threats Quarantined: 77 Time Elapsed: 7 min, 44 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\rtc.exe, Quarantined, [462], [687504],1.0.10794 Module: 6 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\x64\SQLite.Interop.dll, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\rtc.exe, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\System.Data.SQLite.DLL, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\TAFactory.IconPack.dll, Quarantined, [462], [687504],1.0.10794 Registry Key: 7 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\mBytes Clean Pro_Logon, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{CE170E43-3CAF-4817-847C-50A784D7F079}, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{CE170E43-3CAF-4817-847C-50A784D7F079}, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{0B188E3B-5910-4F4D-8B28-3AC8EFD54931}_is1, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, HKLM\SOFTWARE\mBytes Clean Pro For {computername}, Quarantined, [462], [687502],1.0.10794 PUP.Optional.PCVARK, HKLM\SOFTWARE\bUJ5dGVzIENsZWFuIFBybw==, Quarantined, [462], [687525],1.0.10794 PUP.Optional.PCVARK, HKLM\SOFTWARE\SCD-PR, Quarantined, [462], [540842],1.0.10794 Registry Value: 5 PUP.Optional.PCVARK, HKLM\SOFTWARE\mBytes Clean Pro For {computername}|AFFIRED, Quarantined, [462], [687502],1.0.10794 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{CE170E43-3CAF-4817-847C-50A784D7F079}|PATH, Quarantined, [462], [687499],1.0.10794 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{0B188E3B-5910-4F4D-8B28-3AC8EFD54931}_is1|INSTALLLOCATION, Quarantined, [462], [687509],1.0.10794 PUP.Optional.PCVARK, HKLM\SOFTWARE\SCD-PR|AFFILIATEID, Quarantined, [462], [540842],1.0.10794 PUP.Optional.MasterPCCleaner, HKLM\SOFTWARE\SCD-PR|PXL, Quarantined, [1219], [484510],1.0.10794 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 8 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\x64, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\x86, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\PROGRAM FILES\mBytes Clean Pro for {computername}, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\ProgramData\mBytes Clean Pro for {computername}\offers, Quarantined, [462], [687506],1.0.10794 PUP.Optional.PCVARK, C:\PROGRAMDATA\mBytes Clean Pro for {computername}, Quarantined, [462], [687506],1.0.10794 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\mBytes Clean Pro for {computername}, Quarantined, [462], [687505],1.0.10794 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\mBytes Clean Pro For {computername}\smico, Quarantined, [462], [687507],1.0.10794 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\mBytes Clean Pro For {computername}, Quarantined, [462], [687507],1.0.10794 File: 50 PUP.Optional.PCVARK, C:\PROGRAM FILES\mBytes Clean Pro for {computername}\unins000.dat, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\x64\SQLite.Interop.dll, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\x86\SQLite.Interop.dll, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\langs.db, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\application.ico, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\danish_iss.ini, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\Dutch_iss.ini, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\english_iss.ini, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\finish_iss.ini, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\French_iss.ini, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\german_iss.ini, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\HtmlRenderer.dll, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\HtmlRenderer.WinForms.dll, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\Interop.SHDocVw.dll, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\italian_iss.ini, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\japanese_iss.ini, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\NAudio.dll, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\Newtonsoft.Json.dll, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\norwegian_iss.ini, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\pimg.dll, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\portuguese_iss.ini, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\rtc.exe, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\rtc.exe.config, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\russian_iss.ini, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\spanish_iss.ini, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\swedish_iss.ini, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\System.Data.SQLite.DLL, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\TAFactory.IconPack.dll, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\unins000.exe, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\Program Files\mBytes Clean Pro for {computername}\unins000.msg, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\WINDOWS\SYSTEM32\TASKS\mBytes Clean Pro_Logon, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\mBytes Clean Pro.lnk, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\USERS\PUBLIC\Desktop\mBytes Clean Pro.lnk, Quarantined, [462], [687504],1.0.10794 PUP.Optional.PCVARK, C:\PROGRAMDATA\mBytes Clean Pro for {computername}\mdb.db, Quarantined, [462], [687506],1.0.10794 PUP.Optional.PCVARK, C:\ProgramData\mBytes Clean Pro for {computername}\offers\a_p_t.exe, Quarantined, [462], [687506],1.0.10794 PUP.Optional.PCVARK, C:\ProgramData\mBytes Clean Pro for {computername}\pcspstartrepair_en.mp3, Quarantined, [462], [687506],1.0.10794 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\mBytes Clean Pro for {computername}\Buy mBytes Clean Pro.lnk, Quarantined, [462], [687505],1.0.10794 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\mBytes Clean Pro for {computername}\mBytes Clean Pro.lnk, Quarantined, [462], [687505],1.0.10794 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\mBytes Clean Pro for {computername}\Uninstall mBytes Clean Pro.lnk, Quarantined, [462], [687505],1.0.10794 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\mBytes Clean Pro For {computername}\Errorlog.txt, Quarantined, [462], [687507],1.0.10794 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\mBytes Clean Pro For {computername}\a_p_t_2.xml, Quarantined, [462], [687507],1.0.10794 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\mBytes Clean Pro For {computername}\exlist.bin, Quarantined, [462], [687507],1.0.10794 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\mBytes Clean Pro For {computername}\notifier.xml, Quarantined, [462], [687507],1.0.10794 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\mBytes Clean Pro For {computername}\res.xml, Quarantined, [462], [687507],1.0.10794 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\mBytes Clean Pro For {computername}\update.xml, Quarantined, [462], [687507],1.0.10794 PUP.Optional.PCVARK, C:\PROGRAMDATA\MBYTES CLEAN PRO FOR {computername}\OFFERS\A_P_T.EXE, Quarantined, [462], [583068],1.0.10794 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\LOCAL\TEMP\_IU14D2N.TMP, Quarantined, [462], [583068],1.0.10794 PUP.Optional.PCVARK, C:\USERS\{username}\DESKTOP\MBCPSETUP.EXE, Quarantined, [462], [687514],1.0.10794 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.