Jump to content

Metallica

Staff
  • Content Count

    2,415
  • Joined

  • Last visited

5 Followers

About Metallica

  • Rank
    Master of PUPs
  • Birthday 05/19/1963

Profile Information

  • Location
    Netherlands

Recent Profile Visitors

166,785 profile views
  1. What is Search Box DS?The Malwarebytes research team has determined that Search Box DS is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Search Box DS?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and this changed setting:How did Search Box DS get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Search Box DS?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Search Box DS? No, Malwarebytes removes Search Box DS completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Search Box DS hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.searchboxlive.com?st=ds&q={searchTerms}&publisher=searchboxds&barcodeid=561640000000000 CHR DefaultSearchKeyword: Default -> SearchBox CHR DefaultSuggestURL: Default -> hxxps://api.searchboxlive.com/suggest/get?q={searchTerms} CHR Extension: (SearchBox) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hfbjajcpicfpkiiiajggnphibcabkdjj [2019-08-23] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hfbjajcpicfpkiiiajggnphibcabkdjj\1.0.2_0 Adds the file closer.js"="8/7/2018 11:31 AM, 15 bytes, A Adds the file manifest.json"="8/23/2019 8:53 AM, 2097 bytes, A Adds the file tab.html"="8/7/2018 11:31 AM, 165 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hfbjajcpicfpkiiiajggnphibcabkdjj\1.0.2_0\_metadata Adds the file computed_hashes.json"="8/23/2019 8:53 AM, 841 bytes, A Adds the file verified_contents.json"="8/21/2019 9:40 AM, 2131 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hfbjajcpicfpkiiiajggnphibcabkdjj\1.0.2_0\images Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hfbjajcpicfpkiiiajggnphibcabkdjj\1.0.2_0\images\icons Adds the file 128x128.png"="8/23/2019 8:53 AM, 6201 bytes, A Adds the file 16x16.png"="8/23/2019 8:53 AM, 543 bytes, A Adds the file 64x64.png"="8/23/2019 8:53 AM, 2925 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hfbjajcpicfpkiiiajggnphibcabkdjj\1.0.2_0\scripts Adds the file background.js"="8/21/2019 9:48 AM, 32824 bytes, A Adds the file sitecontent.js"="8/20/2019 4:05 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_hfbjajcpicfpkiiiajggnphibcabkdjj Adds the file Search Box DS.ico"="8/23/2019 8:53 AM, 186207 bytes, A Adds the file Search Box DS.ico.md5"="8/23/2019 8:53 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "hfbjajcpicfpkiiiajggnphibcabkdjj"="REG_SZ", "322222313B40FAE1D3310EE0605E9758DC374DF75FC506577F97A33EB4289ADA" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/23/19 Scan Time: 9:03 AM Log File: 1a75b59a-c574-11e9-8bea-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.12147 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236304 Threats Detected: 19 Threats Quarantined: 19 Time Elapsed: 10 min, 25 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SearchBoxLive, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|hfbjajcpicfpkiiiajggnphibcabkdjj, Quarantined, [14748], [723101],1.0.12147 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 6 PUP.Optional.SearchBoxLive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hfbjajcpicfpkiiiajggnphibcabkdjj\1.0.2_0\images\icons, Quarantined, [14748], [723101],1.0.12147 PUP.Optional.SearchBoxLive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hfbjajcpicfpkiiiajggnphibcabkdjj\1.0.2_0\_metadata, Quarantined, [14748], [723101],1.0.12147 PUP.Optional.SearchBoxLive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hfbjajcpicfpkiiiajggnphibcabkdjj\1.0.2_0\scripts, Quarantined, [14748], [723101],1.0.12147 PUP.Optional.SearchBoxLive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hfbjajcpicfpkiiiajggnphibcabkdjj\1.0.2_0\images, Quarantined, [14748], [723101],1.0.12147 PUP.Optional.SearchBoxLive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hfbjajcpicfpkiiiajggnphibcabkdjj\1.0.2_0, Quarantined, [14748], [723101],1.0.12147 PUP.Optional.SearchBoxLive, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HFBJAJCPICFPKIIIAJGGNPHIBCABKDJJ, Quarantined, [14748], [723101],1.0.12147 File: 12 PUP.Optional.SearchBoxLive, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [14748], [723101],1.0.12147 PUP.Optional.SearchBoxLive, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [14748], [723101],1.0.12147 PUP.Optional.SearchBoxLive, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HFBJAJCPICFPKIIIAJGGNPHIBCABKDJJ\1.0.2_0\MANIFEST.JSON, Quarantined, [14748], [723101],1.0.12147 PUP.Optional.SearchBoxLive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hfbjajcpicfpkiiiajggnphibcabkdjj\1.0.2_0\images\icons\128x128.png, Quarantined, [14748], [723101],1.0.12147 PUP.Optional.SearchBoxLive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hfbjajcpicfpkiiiajggnphibcabkdjj\1.0.2_0\images\icons\16x16.png, Quarantined, [14748], [723101],1.0.12147 PUP.Optional.SearchBoxLive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hfbjajcpicfpkiiiajggnphibcabkdjj\1.0.2_0\images\icons\64x64.png, Quarantined, [14748], [723101],1.0.12147 PUP.Optional.SearchBoxLive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hfbjajcpicfpkiiiajggnphibcabkdjj\1.0.2_0\scripts\background.js, Quarantined, [14748], [723101],1.0.12147 PUP.Optional.SearchBoxLive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hfbjajcpicfpkiiiajggnphibcabkdjj\1.0.2_0\scripts\sitecontent.js, Quarantined, [14748], [723101],1.0.12147 PUP.Optional.SearchBoxLive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hfbjajcpicfpkiiiajggnphibcabkdjj\1.0.2_0\_metadata\computed_hashes.json, Quarantined, [14748], [723101],1.0.12147 PUP.Optional.SearchBoxLive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hfbjajcpicfpkiiiajggnphibcabkdjj\1.0.2_0\_metadata\verified_contents.json, Quarantined, [14748], [723101],1.0.12147 PUP.Optional.SearchBoxLive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hfbjajcpicfpkiiiajggnphibcabkdjj\1.0.2_0\closer.js, Quarantined, [14748], [723101],1.0.12147 PUP.Optional.SearchBoxLive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hfbjajcpicfpkiiiajggnphibcabkdjj\1.0.2_0\tab.html, Quarantined, [14748], [723101],1.0.12147 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  2. What is Xtron PC Speedup?The Malwarebytes research team has determined that Xtron PC Speedup is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with Xtron PC Speedup?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see this warning during install:and these screens during "operations":You may see this entry in your list of installed programs:and this task in your list of Scheduled Tasks:How did Xtron PC Speedup get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove Xtron PC Speedup?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Xtron PC Speedup? No, Malwarebytes removes Xtron PC Speedup completely. This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the Xtron PC Speedup installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: (TECHNOSOFT SOLUTIONS -> ) [File not signed] C:\Program Files\XTR0N PC-Speedup_{username}\rgcl.exe Task: {99567D9D-5EB6-40A7-98EF-A7A20D1D395F} - System32\Tasks\XTR0N PC-Speedup_Logon => C:\Program Files\XTR0N PC-Speedup_{username}\rgcl.exe [1898080 2019-08-20] (TECHNOSOFT SOLUTIONS -> ) [File not signed] <==== ATTENTION C:\Users\{username}\AppData\Roaming\XTR0N PC-Speedup_{username} C:\Windows\System32\Tasks\XTR0N PC-Speedup_Logon C:\Users\Public\Desktop\XTR0N PC-Speedup.lnk C:\ProgramData\XTR0N PC-Speedup_{username} C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XTR0N PC-Speedup_{username} C:\Program Files\XTR0N PC-Speedup_{username} XTR0N PC-Speedup (HKLM\...\{67AD45F0-1FD9-4125-83A6-4A0CD3ED8BC8}_is1) (Version: 1.0.0.30 - ) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\XTR0N PC-Speedup_{username} Adds the file application.ico"="8/20/2019 7:10 PM, 79930 bytes, A Adds the file danish_iss.ini"="5/29/2019 3:54 PM, 2402 bytes, A Adds the file Dutch_iss.ini"="5/29/2019 3:54 PM, 2600 bytes, A Adds the file english_iss.ini"="5/29/2019 3:54 PM, 2256 bytes, A Adds the file finish_iss.ini"="5/29/2019 3:54 PM, 2368 bytes, A Adds the file French_iss.ini"="5/29/2019 3:54 PM, 2792 bytes, A Adds the file german_iss.ini"="5/29/2019 3:54 PM, 2658 bytes, A Adds the file HtmlRenderer.dll"="8/20/2019 7:32 PM, 235104 bytes, A Adds the file HtmlRenderer.WinForms.dll"="8/20/2019 7:32 PM, 73824 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="8/20/2019 7:32 PM, 62560 bytes, A Adds the file Interop.SHDocVw.dll"="8/20/2019 7:32 PM, 177248 bytes, A Adds the file italian_iss.ini"="5/29/2019 3:54 PM, 2532 bytes, A Adds the file japanese_iss.ini"="5/29/2019 3:54 PM, 1844 bytes, A Adds the file kimg.dll"="8/20/2019 7:32 PM, 793696 bytes, A Adds the file langs.db"="6/24/2019 5:44 PM, 486400 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="8/20/2019 7:32 PM, 184416 bytes, A Adds the file NAudio.dll"="8/20/2019 7:32 PM, 484448 bytes, A Adds the file Newtonsoft.Json.dll"="8/20/2019 7:32 PM, 474208 bytes, A Adds the file norwegian_iss.ini"="5/29/2019 3:54 PM, 2358 bytes, A Adds the file portuguese_iss.ini"="5/29/2019 3:54 PM, 2424 bytes, A Adds the file rgcl.exe"="8/20/2019 7:32 PM, 1898080 bytes, A Adds the file rgcl.exe.config"="8/20/2019 7:32 PM, 4599 bytes, A Adds the file russian_iss.ini"="5/29/2019 3:54 PM, 2494 bytes, A Adds the file spanish_iss.ini"="5/29/2019 3:54 PM, 2548 bytes, A Adds the file swedish_iss.ini"="5/29/2019 3:54 PM, 2270 bytes, A Adds the file System.Data.SQLite.DLL"="8/20/2019 7:32 PM, 304224 bytes, A Adds the file TAFactory.IconPack.dll"="8/20/2019 7:32 PM, 50272 bytes, A Adds the file unins000.dat"="8/22/2019 8:59 AM, 75191 bytes, A Adds the file unins000.exe"="8/22/2019 8:58 AM, 1265760 bytes, A Adds the file unins000.msg"="8/22/2019 8:59 AM, 22701 bytes, A Adds the folder C:\Program Files\XTR0N PC-Speedup_{username}\x64 Adds the file SQLite.Interop.dll"="8/20/2019 7:32 PM, 1188960 bytes, A Adds the folder C:\Program Files\XTR0N PC-Speedup_{username}\x86 Adds the file SQLite.Interop.dll"="8/20/2019 7:32 PM, 867936 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XTR0N PC-Speedup_{username} Adds the file Buy XTR0N PC-Speedup.lnk"="8/22/2019 8:59 AM, 944 bytes, A Adds the file Uninstall XTR0N PC-Speedup.lnk"="8/22/2019 8:59 AM, 956 bytes, A Adds the file XTR0N PC-Speedup.lnk"="8/22/2019 8:59 AM, 932 bytes, A Adds the folder C:\ProgramData\XTR0N PC-Speedup_{username} Adds the file mdb.db"="6/25/2019 6:28 PM, 6643712 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\XTR0N PC-Speedup_{username} Adds the file aptnotfr.xml"="8/22/2019 9:00 AM, 9108 bytes, A Adds the file Errorlog.txt"="8/22/2019 9:07 AM, 30524 bytes, A Adds the file exlist.bin"="8/22/2019 8:59 AM, 257909 bytes, A Adds the file res.xml"="8/22/2019 9:07 AM, 29144 bytes, A Adds the file upt.xml"="8/22/2019 8:59 AM, 27334 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\XTR0N PC-Speedup_{username}\smico In the existing folder C:\Users\Public\Desktop Adds the file XTR0N PC-Speedup.lnk"="8/22/2019 8:59 AM, 914 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file XTR0N PC-Speedup_Logon"="8/22/2019 8:59 AM, 3060 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{67AD45F0-1FD9-4125-83A6-4A0CD3ED8BC8}_is1] "DisplayIcon"="REG_SZ", "C:\Program Files\XTR0N PC-Speedup_{username}\rgcl.exe" "DisplayName"="REG_SZ", "XTR0N PC-Speedup" "DisplayVersion"="REG_SZ", "1.0.0.30" "EstimatedSize"="REG_DWORD", 15723 "Inno Setup: App Path"="REG_SZ", "C:\Program Files\XTR0N PC-Speedup_{username}" "Inno Setup: Icon Group"="REG_SZ", "XTR0N PC-Speedup_{username}" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.8 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20190822" "InstallLocation"="REG_SZ", "C:\Program Files\XTR0N PC-Speedup_{username}\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "QuietUninstallString"="REG_SZ", ""C:\Program Files\XTR0N PC-Speedup_{username}\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files\XTR0N PC-Speedup_{username}\unins000.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\WFRSME4gUEMtU3BlZWR1cA==\ACT] "data"="REG_BINARY, .................................................................................................... [HKEY_LOCAL_MACHINE\SOFTWARE\xsc-pr] "btnid"="REG_SZ", "" "country"="REG_SZ", "us" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "pxl"="REG_SZ", "" "referUrl"="REG_SZ", "" "TELNO"="REG_SZ", "" "utm_campaign"="REG_SZ", "" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "" "utm_source"="REG_SZ", "" "x-at"="REG_SZ", "" "x-context"="REG_SZ", "" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\XTR0N PC-Speedup_{username}] "affired"="REG_DWORD", 1 "afterInstallUrl"="REG_SZ", "http://ins.system-cleaner.live/install/xps/?" "apst"="REG_DWORD", 0 "cbkpoff"="REG_DWORD", 1 "country"="REG_SZ", "us" "cta"="REG_DWORD", 0 "delayfront"="REG_DWORD", 0 "delaytime"="REG_DWORD", 0 "dlllist"="REG_SZ", "PSMACHINE_64.DLL,MSSPELLCHECKINGFACILITY.DLL" "EmailURL"="REG_SZ", "" "expired"="REG_DWORD", 0 "hdata"="REG_BINARY, ......................................................................................................................................................................................................................................................................................................................................... "Installstring"="REG_SZ", "C:\Program Files\XTR0N PC-Speedup_{username}" "ipaddrurl"="REG_SZ", "http://ins.system-cleaner.live/getip/" "isavst"="REG_DWORD", 0 "isiunidu"="REG_DWORD", 0 "isprmjsn"="REG_DWORD", 0 "isshowng"="REG_DWORD", 1 "issilent"="REG_DWORD", 0 "ISTELNO"="REG_DWORD", 0 "LangCode"="REG_SZ", "en" "lstregscancount"="REG_DWORD", 74 "lstscandate"="REG_SZ", "8/22/2019 9:07:28 AM" "lstscanstat"="REG_DWORD", 2 "lstsecscancount"="REG_DWORD", 0 "lsttotalscancount"="REG_DWORD", 74 "ovoffdis"="REG_DWORD", 0 "paramurl"="REG_SZ", "http://trkr.xscactiv.com/ipfiles/" "pdtm"="REG_DWORD", 30 "playsound"="REG_DWORD", 1 "prereg"="REG_DWORD", 0 "PurchaseURL"="REG_SZ", "http://www.syscarestore.com/xps/price?" "reg"="REG_DWORD", 0 "RenewURL"="REG_SZ", "http://www.syscarestore.com/xps/renewal?" "runcam"="REG_DWORD", 1 "runpixel"="REG_DWORD", 1 "runsrc"="REG_DWORD", 1 "showtn"="REG_DWORD", 0 "showunins"="REG_DWORD", 0 "showwfo"="REG_DWORD", 0 "stdismax"="REG_DWORD", -1 "supporturl"="REG_SZ", "http://www.system-cleaner.live/help/" "TELNO"="REG_SZ", "855-446-9808" "TELNO_ar"="REG_SZ", "" "TELNO_at"="REG_SZ", "" "TELNO_au"="REG_SZ", "" "TELNO_be"="REG_SZ", "" "TELNO_br"="REG_SZ", "" "TELNO_ca"="REG_SZ", "855-446-9808" "TELNO_ch"="REG_SZ", "" "TELNO_de"="REG_SZ", "" "TELNO_dk"="REG_SZ", "" "TELNO_es"="REG_SZ", "" "TELNO_fi"="REG_SZ", "" "TELNO_fr"="REG_SZ", "" "TELNO_gb"="REG_SZ", "" "TELNO_it"="REG_SZ", "" "TELNO_ja"="REG_SZ", "" "TELNO_lu"="REG_SZ", "" "TELNO_nl"="REG_SZ", "" "TELNO_no"="REG_SZ", "" "TELNO_pt"="REG_SZ", "" "TELNO_se"="REG_SZ", "" "TELNO_uk"="REG_SZ", "" "TELNO_us"="REG_SZ", "855-446-9808" "WebURL"="REG_SZ", "http://www.system-cleaner.live/" "wfoset"="REG_DWORD", 1 "x-ccode"="REG_SZ", "us" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "77_234_46_190" [HKEY_CURRENT_USER\Software\XTR0N PC-Speedup_{username}] "affiliateid"="REG_SZ", "" "InstallString"="REG_SZ", "C:\Program Files\XTR0N PC-Speedup_{username}" "LangCode"="REG_SZ", "en" "utm_medium"="REG_SZ", "" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "{user ip}" [HKEY_CURRENT_USER\Software\XTR0N PC-Speedup_{username}\1.0.0.30] "Installstring"="REG_SZ", "C:\Program Files\XTR0N PC-Speedup_{username}" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/22/19 Scan Time: 9:19 AM Log File: 24390072-c4ad-11e9-9095-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.12133 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236364 Threats Detected: 73 Threats Quarantined: 73 Time Elapsed: 9 min, 22 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\rgcl.exe, Quarantined, [469], [722957],1.0.12133 Module: 6 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\x64\SQLite.Interop.dll, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\Interop.IWshRuntimeLibrary.dll, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\rgcl.exe, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\System.Data.SQLite.DLL, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\TAFactory.IconPack.dll, Quarantined, [469], [722957],1.0.12133 Registry Key: 8 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\XTR0N PC-Speedup_Logon, Quarantined, [469], [722959],1.0.12133 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{99567D9D-5EB6-40A7-98EF-A7A20D1D395F}, Quarantined, [469], [722959],1.0.12133 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{99567D9D-5EB6-40A7-98EF-A7A20D1D395F}, Quarantined, [469], [722959],1.0.12133 PUP.Optional.PCVARK, HKCU\SOFTWARE\XTR0N PC-Speedup_{username}, Quarantined, [469], [722934],1.0.12133 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{67AD45F0-1FD9-4125-83A6-4A0CD3ED8BC8}_is1, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, HKLM\SOFTWARE\XSC-PR, Quarantined, [469], [698879],1.0.12133 PUP.Optional.PCVARK, HKLM\SOFTWARE\WFRSME4gUEMtU3BlZWR1cA==, Quarantined, [469], [722976],1.0.12133 PUP.Optional.PCVARK, HKLM\SOFTWARE\XTR0N PC-Speedup_{username}, Quarantined, [469], [722958],1.0.12133 Registry Value: 4 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{67AD45F0-1FD9-4125-83A6-4A0CD3ED8BC8}_IS1|DISPLAYNAME, Quarantined, [469], [722933],1.0.12133 PUP.Optional.PCVARK, HKLM\SOFTWARE\XSC-PR|UTM_CAMPAIGN, Quarantined, [469], [698879],1.0.12133 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{99567D9D-5EB6-40A7-98EF-A7A20D1D395F}|PATH, Quarantined, [469], [722961],1.0.12133 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{67AD45F0-1FD9-4125-83A6-4A0CD3ED8BC8}_is1|INSTALLLOCATION, Quarantined, [469], [722954],1.0.12133 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 8 PUP.Optional.PCVARK, C:\PROGRAMDATA\XTR0N PC-Speedup_{username}, Quarantined, [469], [722956],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\x64, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\x86, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\PROGRAM FILES\XTR0N PC-Speedup_{username}, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\XTR0N PC-Speedup_{username}\smico, Quarantined, [469], [722955],1.0.12133 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\XTR0N PC-Speedup_{username}, Quarantined, [469], [722955],1.0.12133 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\XTR0N PC-Speedup_{username}, Quarantined, [469], [722964],1.0.12133 PUP.Optional.PCVARK, C:\PROGRAMDATA\XTR0N PC-Speedup_{username}, Quarantined, [469], [722931],1.0.12133 File: 46 PUP.Optional.PCVARK, C:\WINDOWS\SYSTEM32\TASKS\XTR0N PC-Speedup_Logon, Quarantined, [469], [722959],1.0.12133 PUP.Optional.PCVARK, C:\USERS\PUBLIC\DESKTOP\XTR0N PC-Speedup.lnk, Quarantined, [469], [722965],1.0.12133 PUP.Optional.PCVARK, C:\PROGRAMDATA\XTR0N PC-Speedup_{username}\mdb.db, Quarantined, [469], [722956],1.0.12133 PUP.Optional.PCVARK, C:\PROGRAM FILES\XTR0N PC-Speedup_{username}\unins000.dat, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\x64\SQLite.Interop.dll, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\x86\SQLite.Interop.dll, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\kimg.dll, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\application.ico, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\danish_iss.ini, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\Dutch_iss.ini, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\english_iss.ini, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\finish_iss.ini, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\French_iss.ini, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\german_iss.ini, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\HtmlRenderer.dll, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\HtmlRenderer.WinForms.dll, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\Interop.IWshRuntimeLibrary.dll, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\Interop.SHDocVw.dll, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\italian_iss.ini, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\japanese_iss.ini, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\langs.db, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\NAudio.dll, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\Newtonsoft.Json.dll, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\norwegian_iss.ini, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\portuguese_iss.ini, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\rgcl.exe, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\rgcl.exe.config, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\russian_iss.ini, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\spanish_iss.ini, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\swedish_iss.ini, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\System.Data.SQLite.DLL, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\TAFactory.IconPack.dll, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\unins000.exe, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\Program Files\XTR0N PC-Speedup_{username}\unins000.msg, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\XTR0N PC-Speedup.lnk, Quarantined, [469], [722957],1.0.12133 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\XTR0N PC-Speedup_{username}\Errorlog.txt, Quarantined, [469], [722955],1.0.12133 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\XTR0N PC-Speedup_{username}\aptnotfr.xml, Quarantined, [469], [722955],1.0.12133 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\XTR0N PC-Speedup_{username}\exlist.bin, Quarantined, [469], [722955],1.0.12133 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\XTR0N PC-Speedup_{username}\res.xml, Quarantined, [469], [722955],1.0.12133 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\XTR0N PC-Speedup_{username}\upt.xml, Quarantined, [469], [722955],1.0.12133 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XTR0N PC-Speedup_{username}\Buy XTR0N PC-Speedup.lnk, Quarantined, [469], [722964],1.0.12133 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XTR0N PC-Speedup_{username}\Uninstall XTR0N PC-Speedup.lnk, Quarantined, [469], [722964],1.0.12133 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XTR0N PC-Speedup_{username}\XTR0N PC-Speedup.lnk, Quarantined, [469], [722964],1.0.12133 PUP.Optional.PCVARK, C:\ProgramData\XTR0N PC-Speedup_{username}\mdb.db, Quarantined, [469], [722931],1.0.12133 PUP.Optional.PCVARK, C:\USERS\{username}\DESKTOP\XPSSETUP.EXE, Quarantined, [469], [722928],1.0.12133 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  3. What is ITL Driver Updater?The Malwarebytes research team has determined that ITL Driver Updater is a "driver updater". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with ITL Driver Updater?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see this warning during install:and these screens during "operations":You may see this entry in your list of installed programs:and these tasks in your list of Scheduled Tasks:How did ITL Driver Updater get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove ITL Driver Updater?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of ITL Driver Updater? No, Malwarebytes removes ITL Driver Updater completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the ITL Driver Updater installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: (INNOVANA THINKLABS LIMITED -> innovanathinklabs.com) C:\Program Files\ITL Driver Updater\itldu.exe Task: {DBA0A279-077A-41CC-88F0-0B091DD24345} - System32\Tasks\ITL Driver Updater_Logon => C:\Program Files\ITL Driver Updater\itldu.exe [5048944 2019-05-15] (INNOVANA THINKLABS LIMITED -> innovanathinklabs.com) Task: {E5B3DA9E-9775-4D34-AA5F-CAE52082320F} - System32\Tasks\ITL Driver Updater skipuac => C:\Program Files\ITL Driver Updater\itldu.exe [5048944 2019-05-15] (INNOVANA THINKLABS LIMITED -> innovanathinklabs.com) C:\Users\Public\Desktop\ITL Driver Updater.lnk C:\Windows\System32\Tasks\ITL Driver Updater skipuac C:\Windows\System32\Tasks\ITL Driver Updater_Logon C:\Users\{username}\AppData\Roaming\innovanathinklabs.com C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ITL Driver Updater C:\Program Files\ITL Driver Updater ITL Driver Updater (HKLM\...\{2E3A3AFE-28A9-4C6D-ABB9-DB5CE6E11DB8}_is1) (Version: 1.0.0.6 - innovanathinklabs.com) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\ITL Driver Updater Adds the file Application_icon.png"="2/4/2019 12:41 PM, 17775 bytes, A Adds the file Delimon.Win32.IO.dll"="5/15/2019 11:51 AM, 963696 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="5/15/2019 11:51 AM, 62576 bytes, A Adds the file itldu.exe"="5/15/2019 11:51 AM, 5048944 bytes, A Adds the file itldu.exe.config"="5/15/2019 11:48 AM, 3963 bytes, A Adds the file ITLDU.ttf"="3/15/2019 12:29 PM, 27756 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="5/15/2019 11:51 AM, 184944 bytes, A Adds the file Microsoft.WindowsAPICodePack.dll"="5/15/2019 11:51 AM, 111728 bytes, A Adds the file Microsoft.WindowsAPICodePack.Shell.dll"="5/15/2019 11:51 AM, 555632 bytes, A Adds the file System.Data.SQLite.dll"="5/15/2019 11:51 AM, 382064 bytes, A Adds the file TAFactory.IconPack.dll"="5/15/2019 11:51 AM, 50288 bytes, A Adds the file unins000.dat"="8/21/2019 9:07 AM, 70565 bytes, A Adds the file unins000.exe"="8/21/2019 9:07 AM, 1513072 bytes, A Adds the file unins000.msg"="8/21/2019 9:07 AM, 22701 bytes, A Adds the file Windows.winmd"="5/15/2019 11:51 AM, 1450096 bytes, A Adds the file WPFToolkit.dll"="2/4/2019 12:41 PM, 467288 bytes, A Adds the folder C:\Program Files\ITL Driver Updater\dp Adds the file 7z.dll"="5/15/2019 11:51 AM, 1087088 bytes, A Adds the file 7z.exe"="5/15/2019 11:51 AM, 278640 bytes, A Adds the file difxapi.dll"="2/4/2019 12:42 PM, 323464 bytes, A Adds the file difxapi64.dll"="2/4/2019 12:42 PM, 519048 bytes, A Adds the file DPInst32.exe"="5/15/2019 11:51 AM, 558704 bytes, A Adds the file DPInst64.exe"="5/15/2019 11:51 AM, 684144 bytes, A Adds the file DrvReposPath.exe"="5/15/2019 11:51 AM, 272496 bytes, A Adds the file DrvSignerVerifier.exe"="5/15/2019 11:51 AM, 280688 bytes, A Adds the folder C:\Program Files\ITL Driver Updater\langs Adds the file itldu_en-us.ini"="5/14/2019 6:04 PM, 81666 bytes, A Adds the folder C:\Program Files\ITL Driver Updater\x64 Adds the file SQLite.Interop.dll"="5/15/2019 11:51 AM, 1594480 bytes, A Adds the folder C:\Program Files\ITL Driver Updater\x86 Adds the file SQLite.Interop.dll"="5/15/2019 11:51 AM, 1124464 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ITL Driver Updater Adds the file Buy ITL Driver Updater.lnk"="8/21/2019 9:07 AM, 891 bytes, A Adds the file ITL Driver Updater.lnk"="8/21/2019 9:07 AM, 881 bytes, A Adds the file Uninstall ITL Driver Updater.lnk"="8/21/2019 9:07 AM, 900 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\innovanathinklabs.com\ITL Driver Updater Adds the file Errorlog.txt"="8/21/2019 9:08 AM, 60104 bytes, A Adds the file Mydb.sqlite"="8/21/2019 9:07 AM, 16384 bytes, A Adds the file notifier.xml"="8/21/2019 9:07 AM, 3422 bytes, A Adds the file res.bin"="8/21/2019 9:08 AM, 35952 bytes, A Adds the file Result.cb"="8/21/2019 9:08 AM, 87183 bytes, A Adds the file update.xml"="8/21/2019 9:07 AM, 8638 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\innovanathinklabs.com\ITL Driver Updater\DrvBackups Adds the folder C:\Users\{username}\AppData\Roaming\innovanathinklabs.com\ITL Driver Updater\DrvDownload Adds the folder C:\Users\{username}\AppData\Roaming\innovanathinklabs.com\ITL Driver Updater\icon Adds the file 090832.ico"="8/21/2019 9:08 AM, 49316 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file ITL Driver Updater.lnk"="8/21/2019 9:08 AM, 1916 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file ITL Driver Updater skipuac"="8/21/2019 9:07 AM, 3244 bytes, A Adds the file ITL Driver Updater_Logon"="8/21/2019 9:07 AM, 3044 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\aW5ub3ZhbmF0aGlua2xhYnMuY29t\SVRMIERyaXZlciBVcGRhdGVy\ACT] "data"="REG_BINARY, ............................................................................ [HKEY_LOCAL_MACHINE\SOFTWARE\innovanathinklabs.com\ITL Driver Updater] "affired"="REG_DWORD", 0 "afterInstallUrl"="REG_SZ", "http://www.itlactiv.com/install/inovna/itldu/?" "apst"="REG_DWORD", 0 "bdInst"="REG_DWORD", 0 "btnid"="REG_SZ", "" "cclst"="REG_SZ", "" "country"="REG_SZ", "" "cta"="REG_DWORD", 0 "delay"="REG_DWORD", 0 "devicesscanned"="REG_DWORD", 55 "expired"="REG_DWORD", 0 "hdata"="REG_BINARY, ............................................................................ "hdinstpg"="REG_DWORD", 0 "hdunistpg"="REG_DWORD", 0 "ignoreddrivercount"="REG_DWORD", 0 "InstallString"="REG_SZ", "C:\Program Files\ITL Driver Updater" "ipaddrurl"="REG_SZ", "http://www.itlactiv.com/getip/" "isinstfont"="REG_DWORD", 1 "isSchedule"="REG_DWORD", 0 "issilent"="REG_DWORD", 0 "ISTELNO"="REG_DWORD", 0 "LangCode"="REG_SZ", "en" "lastscandate"="REG_SZ", "8/21/2019 7:08:31 AM" "lastscanstatus"="REG_DWORD", 2 "lastupdatedate"="REG_SZ", "1/1/0001 12:00:00 AM" "lpid"="REG_SZ", "" "lstscnsett"="REG_BINARY, ................................................................. "nointernetdrvrslt"="REG_DWORD", 0 "oldmissingdrivercount"="REG_DWORD", 6 "ovoffdis"="REG_DWORD", 0 "paramurl"="REG_SZ", "http://trkr.itlactiv.com/ipfiles/" "playsound"="REG_DWORD", 0 "ppid"="REG_DWORD", 0 "ppinag"="REG_DWORD", 0 "prereg"="REG_DWORD", 0 "PurchaseURL"="REG_SZ", "http://store.innovanathinklabs.com/inovna/itldu/price?" "pxl"="REG_SZ", "wtsite" "reg"="REG_DWORD", 0 "RenewURL"="REG_SZ", "http://store.innovanathinklabs.com/inovna/itldu/renewal?" "rescan"="REG_DWORD", 0 "runcam"="REG_DWORD", 1 "runpixel"="REG_DWORD", 1 "runpub"="REG_DWORD", 1 "runsrc"="REG_DWORD", 1 "scntype"="REG_DWORD", 0 "showpriceplan"="REG_DWORD", 0 "showtn"="REG_DWORD", 0 "showunins"="REG_DWORD", 0 "showwfo"="REG_DWORD", 1 "shwtutrl"="REG_DWORD", 0 "skipuac"="REG_DWORD", 1 "stdismax"="REG_DWORD", -1 "supporturl"="REG_SZ", "https://www.innovanathinklabs.com/help/" "tcfl"="REG_DWORD", 0 "TELNO"="REG_SZ", "" "uptodatedrivercount"="REG_DWORD", 49 "utm_campaign"="REG_SZ", "site" "utm_medium"="REG_SZ", "default" "utm_source"="REG_SZ", "site" "vendorLogo"="REG_SZ", "common_logo.jpg" "vendorMachineAvi"="REG_SZ", "common_desktop.gif" "WebURL"="REG_SZ", "https://www.innovanathinklabs.com/" "wfoset"="REG_DWORD", 1 "x-at"="REG_SZ", "" "x-base"="REG_SZ", "" "x-ccode"="REG_SZ", "us" "x-context"="REG_SZ", "" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "89_18_78_158" "x-plt"="REG_SZ", "" "x-uid"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\itldu-pr] "affiliateid"="REG_SZ", "" "btnid"="REG_SZ", "" "country"="REG_SZ", "" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "phone"="REG_SZ", "" "referurl"="REG_SZ", "" "utm_medium"="REG_SZ", "default" "utm_pubid"="REG_SZ", "" "x-at"="REG_SZ", "" "x-base"="REG_SZ", "" "x-context"="REG_SZ", "" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2E3A3AFE-28A9-4C6D-ABB9-DB5CE6E11DB8}_is1] "DisplayIcon"="REG_SZ", "C:\Program Files\ITL Driver Updater\itldu.exe" "DisplayName"="REG_SZ", "ITL Driver Updater" "DisplayVersion"="REG_SZ", "1.0.0.6" "EstimatedSize"="REG_DWORD", 17231 "HelpLink"="REG_SZ", "https://www.innovanathinklabs.com/help/" "Inno Setup: App Path"="REG_SZ", "C:\Program Files\ITL Driver Updater" "Inno Setup: Icon Group"="REG_SZ", "ITL Driver Updater" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.9 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20190821" "InstallLocation"="REG_SZ", "C:\Program Files\ITL Driver Updater\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "innovanathinklabs.com" "QuietUninstallString"="REG_SZ", ""C:\Program Files\ITL Driver Updater\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files\ITL Driver Updater\unins000.exe" /SILENT" "URLInfoAbout"="REG_SZ", "https://www.innovanathinklabs.com/" "VersionMajor"="REG_DWORD", 1 "VersionMinor"="REG_DWORD", 0 [HKEY_CURRENT_USER\Software\innovanathinklabs.com\ITL Driver Updater] "InstallString"="REG_SZ", "C:\Program Files\ITL Driver Updater" "LangCode"="REG_SZ", "en" "pxl"="REG_SZ", "wtsite" "skipuac"="REG_DWORD", 1 "utm_campaign"="REG_SZ", "site" "utm_medium"="REG_SZ", "default" "utm_source"="REG_SZ", "site" "x-base"="REG_SZ", "" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "89_187_178_158" [HKEY_CURRENT_USER\Software\innovanathinklabs.com\ITL Driver Updater\1.0.0.6] Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/21/19 Scan Time: 9:39 AM Log File: c9e564ba-c3e6-11e9-8f75-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.12115 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236305 Threats Detected: 74 Threats Quarantined: 74 Time Elapsed: 7 min, 29 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\itldu.exe, Quarantined, [469], [722448],1.0.12115 Module: 6 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\x64\SQLite.Interop.dll, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\Interop.IWshRuntimeLibrary.dll, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\itldu.exe, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\Microsoft.Win32.TaskScheduler.dll, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\System.Data.SQLite.dll, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\WPFToolkit.dll, Quarantined, [469], [722448],1.0.12115 Registry Key: 11 PUP.Optional.PCVARK, HKCU\SOFTWARE\INNOVANATHINKLABS.COM\ITL Driver Updater, Quarantined, [469], [722454],1.0.12115 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{DBA0A279-077A-41CC-88F0-0B091DD24345}, Quarantined, [469], [722458],1.0.12115 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{E5B3DA9E-9775-4D34-AA5F-CAE52082320F}, Quarantined, [469], [722458],1.0.12115 PUP.Optional.PCVARK, HKLM\SOFTWARE\aW5ub3ZhbmF0aGlua2xhYnMuY29t, Quarantined, [469], [722461],1.0.12115 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\ITL Driver Updater skipuac, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{E5B3DA9E-9775-4D34-AA5F-CAE52082320F}, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\ITL Driver Updater_Logon, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{DBA0A279-077A-41CC-88F0-0B091DD24345}, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{2E3A3AFE-28A9-4C6D-ABB9-DB5CE6E11DB8}_is1, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, HKLM\SOFTWARE\INNOVANATHINKLABS.COM\ITL Driver Updater, Quarantined, [469], [722455],1.0.12115 PUP.Optional.PCVARK, HKLM\SOFTWARE\ITLDU-PR, Quarantined, [469], [722452],1.0.12115 Registry Value: 3 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{DBA0A279-077A-41CC-88F0-0B091DD24345}|PATH, Quarantined, [469], [722458],1.0.12115 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{E5B3DA9E-9775-4D34-AA5F-CAE52082320F}|PATH, Quarantined, [469], [722458],1.0.12115 PUP.Optional.PCVARK, HKLM\SOFTWARE\ITLDU-PR|AFFILIATEID, Quarantined, [469], [722452],1.0.12115 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 11 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\innovanathinklabs.com\ITL Driver Updater\DrvDownload, Quarantined, [469], [722451],1.0.12115 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\innovanathinklabs.com\ITL Driver Updater\DrvBackups, Quarantined, [469], [722451],1.0.12115 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\innovanathinklabs.com\ITL Driver Updater\icon, Quarantined, [469], [722451],1.0.12115 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\innovanathinklabs.com\ITL Driver Updater, Quarantined, [469], [722451],1.0.12115 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\INNOVANATHINKLABS.COM, Quarantined, [469], [722451],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\langs, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\x64, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\x86, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\dp, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\PROGRAM FILES\ITL DRIVER UPDATER, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ITL DRIVER UPDATER, Quarantined, [469], [722449],1.0.12115 File: 42 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\INNOVANATHINKLABS.COM\ITL DRIVER UPDATER\ERRORLOG.TXT, Quarantined, [469], [722451],1.0.12115 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\innovanathinklabs.com\ITL Driver Updater\icon\090832.ico, Quarantined, [469], [722451],1.0.12115 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\innovanathinklabs.com\ITL Driver Updater\Mydb.sqlite, Quarantined, [469], [722451],1.0.12115 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\innovanathinklabs.com\ITL Driver Updater\notifier.xml, Quarantined, [469], [722451],1.0.12115 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\innovanathinklabs.com\ITL Driver Updater\res.bin, Quarantined, [469], [722451],1.0.12115 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\innovanathinklabs.com\ITL Driver Updater\Result.cb, Quarantined, [469], [722451],1.0.12115 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\innovanathinklabs.com\ITL Driver Updater\update.xml, Quarantined, [469], [722451],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\dp\7z.dll, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\dp\7z.exe, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\dp\difxapi.dll, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\dp\difxapi64.dll, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\dp\DPInst32.exe, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\dp\DPInst64.exe, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\dp\DrvReposPath.exe, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\dp\DrvSignerVerifier.exe, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\langs\itldu_en-us.ini, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\x64\SQLite.Interop.dll, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\x86\SQLite.Interop.dll, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\Application_icon.png, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\Delimon.Win32.IO.dll, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\Interop.IWshRuntimeLibrary.dll, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\itldu.exe, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\itldu.exe.config, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\ITLDU.ttf, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\Microsoft.Win32.TaskScheduler.dll, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\Microsoft.WindowsAPICodePack.dll, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\Microsoft.WindowsAPICodePack.Shell.dll, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\System.Data.SQLite.dll, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\TAFactory.IconPack.dll, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\unins000.dat, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\unins000.exe, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\unins000.msg, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\Windows.winmd, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\Program Files\ITL Driver Updater\WPFToolkit.dll, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\WINDOWS\SYSTEM32\TASKS\ITL Driver Updater skipuac, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\WINDOWS\SYSTEM32\TASKS\ITL Driver Updater_Logon, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\ITL Driver Updater.lnk, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\USERS\PUBLIC\Desktop\ITL Driver Updater.lnk, Quarantined, [469], [722448],1.0.12115 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ITL Driver Updater\Buy ITL Driver Updater.lnk, Quarantined, [469], [722449],1.0.12115 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ITL Driver Updater\ITL Driver Updater.lnk, Quarantined, [469], [722449],1.0.12115 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ITL Driver Updater\Uninstall ITL Driver Updater.lnk, Quarantined, [469], [722449],1.0.12115 PUP.Optional.PCVARK, C:\USERS\{username}\DESKTOP\ITLDRIVERUPDATER.EXE, Quarantined, [469], [722447],1.0.12115 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  4. What is Sunnyweb?The Malwarebytes research team has determined that Sunnyweb is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one hijacks search results from the best known search sites and redirects them to their own site adding sponsored results.How do I know if my computer is affected by Sunnyweb?You may see this entry in your list of installed Chrome extensions:and these warnings during install:The install crashes Chrome, but the extension will still be functional.How did Sunnyweb get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Sunnyweb?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Sunnyweb? No, Malwarebytes removes Sunnyweb completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Sunnyweb hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR Extension: (Sunnyweb) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lghjlnneljbcbagdhjldpdechneecnok [2019-08-19] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lghjlnneljbcbagdhjldpdechneecnok\2.8_0 Adds the file background.js"="8/19/2019 12:57 PM, 5382 bytes, A Adds the file manifest.json"="8/19/2019 10:00 AM, 1679 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lghjlnneljbcbagdhjldpdechneecnok\2.8_0\_metadata Adds the file computed_hashes.json"="8/19/2019 10:00 AM, 404 bytes, A Adds the file verified_contents.json"="8/19/2019 12:57 PM, 1645 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lghjlnneljbcbagdhjldpdechneecnok\2.8_0\icons Adds the file icon128.png"="8/19/2019 10:00 AM, 2188 bytes, A Adds the file icon48.png"="8/19/2019 10:00 AM, 253 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lghjlnneljbcbagdhjldpdechneecnok Adds the file 000003.log"="8/19/2019 10:03 AM, 91 bytes, A Adds the file CURRENT"="8/19/2019 10:03 AM, 16 bytes, A Adds the file LOCK"="8/19/2019 10:03 AM, 0 bytes, A Adds the file LOG"="8/19/2019 10:03 AM, 183 bytes, A Adds the file MANIFEST-000001"="8/19/2019 10:03 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "lghjlnneljbcbagdhjldpdechneecnok"="REG_SZ", "A4E7282F199F68A4DC5BAC3E7F7C4F08E9A214F3EDEA4CE2E18C3CDD43FD13A4" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/20/19 Scan Time: 9:10 AM Log File: 96da51fc-c319-11e9-afd3-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.12093 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236071 Threats Detected: 41 Threats Quarantined: 41 Time Elapsed: 7 min, 15 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|lghjlnneljbcbagdhjldpdechneecnok, Quarantined, [373], [460702],1.0.12093 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 5 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\lghjlnneljbcbagdhjldpdechneecnok, Quarantined, [373], [460702],1.0.12093 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lghjlnneljbcbagdhjldpdechneecnok\2.8_0\_metadata, Quarantined, [373], [460702],1.0.12093 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lghjlnneljbcbagdhjldpdechneecnok\2.8_0\icons, Quarantined, [373], [460702],1.0.12093 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lghjlnneljbcbagdhjldpdechneecnok\2.8_0, Quarantined, [373], [460702],1.0.12093 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\lghjlnneljbcbagdhjldpdechneecnok, Quarantined, [373], [460702],1.0.12093 File: 13 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lghjlnneljbcbagdhjldpdechneecnok\000003.log, Quarantined, [373], [460702],1.0.12093 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lghjlnneljbcbagdhjldpdechneecnok\CURRENT, Quarantined, [373], [460702],1.0.12093 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lghjlnneljbcbagdhjldpdechneecnok\LOCK, Quarantined, [373], [460702],1.0.12093 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lghjlnneljbcbagdhjldpdechneecnok\LOG, Quarantined, [373], [460702],1.0.12093 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\lghjlnneljbcbagdhjldpdechneecnok\MANIFEST-000001, Quarantined, [373], [460702],1.0.12093 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [373], [460702],1.0.12093 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [373], [460702],1.0.12093 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\lghjlnneljbcbagdhjldpdechneecnok\2.8_0\MANIFEST.JSON, Quarantined, [373], [460702],1.0.12093 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lghjlnneljbcbagdhjldpdechneecnok\2.8_0\icons\icon128.png, Quarantined, [373], [460702],1.0.12093 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lghjlnneljbcbagdhjldpdechneecnok\2.8_0\icons\icon48.png, Quarantined, [373], [460702],1.0.12093 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lghjlnneljbcbagdhjldpdechneecnok\2.8_0\_metadata\computed_hashes.json, Quarantined, [373], [460702],1.0.12093 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lghjlnneljbcbagdhjldpdechneecnok\2.8_0\_metadata\verified_contents.json, Quarantined, [373], [460702],1.0.12093 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\lghjlnneljbcbagdhjldpdechneecnok\2.8_0\background.js, Quarantined, [373], [460702],1.0.12093 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  5. What is PC SpeedLane?The Malwarebytes research team has determined that PC SpeedLane is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with PC SpeedLane?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see this warning during install:and these screens during "operations":You may see this entry in your list of installed programs:and these tasks in your list of Scheduled Tasks:How did PC SpeedLane get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove PC SpeedLane?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of PC SpeedLane? No, Malwarebytes removes PC SpeedLane completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the PC SpeedLane installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for expertsYou may see these entries in FRST logs: (Speedlane LLC -> ) C:\Program Files (x86)\SpeedLane\PCSpeedLane\PCSpeedLane.exe Task: {985D992F-BADA-4702-BDFA-ED418147A53D} - System32\Tasks\SPLANE_{username}_PCSpeedLane_LogonTask => C:\Program Files (x86)\SpeedLane\PCSpeedLane\PCSpeedLane.exe [2018336 2018-04-27] (Speedlane LLC -> ) Task: {B710625B-1C4F-4A64-B2A9-4DCEE81D1DE9} - System32\Tasks\SPLANE_{username}_PCSpeedLane_LG_DailyTask => C:\Program Files (x86)\SpeedLane\PCSpeedLane\PCSpeedLane.exe [2018336 2018-04-27] (Speedlane LLC -> ) Task: {BA2F27BE-0A65-4BD5-B225-FD2967E39E62} - System32\Tasks\SPLANE_{username}_PCSpeedLane_RS_WeeklyTask => C:\Program Files (x86)\SpeedLane\PCSpeedLane\PCSpeedLane.exe [2018336 2018-04-27] (Speedlane LLC -> ) Task: {C002A979-16FF-4520-AF89-812739A0FF93} - System32\Tasks\SPLANE_{username}_PCSpeedLane_RS_DailyTask => C:\Program Files (x86)\SpeedLane\PCSpeedLane\PCSpeedLane.exe [2018336 2018-04-27] (Speedlane LLC -> ) Task: {CF0A7ED0-9696-4FE2-B896-5F1D0122CC61} - System32\Tasks\SPLANE_SPCTApp@Runner => C:\Program Files (x86)\SpeedLane\PCSpeedLane\PCSpeedLane.exe [2018336 2018-04-27] (Speedlane LLC -> ) C:\Windows\System32\Tasks\SPLANE_{username}_PCSpeedLane_RS_WeeklyTask C:\Windows\System32\Tasks\SPLANE_{username}_PCSpeedLane_RS_DailyTask C:\Windows\System32\Tasks\SPLANE_{username}_PCSpeedLane_LG_DailyTask C:\Windows\System32\Tasks\SPLANE_{username}_PCSpeedLane_LogonTask C:\Windows\System32\Tasks\SPLANE_SPCTApp@Runner C:\Users\Public\Desktop\PC SpeedLane.lnk C:\ProgramData\SpeedLane C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpeedLane C:\ProgramData\Errors C:\ProgramData\DumpFiles C:\Program Files (x86)\SpeedLane C:\Users\{username}\AppData\Local\PC SpeedLane-Logs PC SpeedLane (HKLM-x32\...\PCSpeedLane_is1) (Version: 2.0.7 - SpeedLane) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\SpeedLane\PCSpeedLane Adds the file clogtsks.bat"="8/19/2019 10:40 AM, 126 bytes, A Adds the file EULA.txt"="3/26/2018 12:09 PM, 20678 bytes, A Adds the file gouninst.exe"="4/27/2018 4:42 PM, 51640 bytes, A Adds the file goup3.exe"="4/27/2018 4:42 PM, 47904 bytes, A Adds the file icohelp.ico"="7/18/2016 2:40 PM, 25214 bytes, A Adds the file icomaint.ico"="7/18/2016 2:40 PM, 67646 bytes, A Adds the file icosucenter.ico"="7/18/2016 2:40 PM, 102134 bytes, A Adds the file icudt53.dll"="7/18/2016 2:40 PM, 848896 bytes, A Adds the file icuin53.dll"="7/18/2016 2:40 PM, 1961472 bytes, A Adds the file icuuc53.dll"="7/18/2016 2:40 PM, 1316352 bytes, A Adds the file imp.rtf"="7/18/2016 2:40 PM, 217 bytes, A Adds the file infoSys.ini"="8/19/2019 10:40 AM, 255 bytes, A Adds the file libeay32.dll"="7/18/2016 2:40 PM, 1178624 bytes, A Adds the file libEGL.dll"="7/18/2016 2:40 PM, 47104 bytes, A Adds the file libGLESv2.dll"="7/18/2016 2:40 PM, 732160 bytes, A Adds the file libssl32.dll"="7/18/2016 2:40 PM, 269824 bytes, A Adds the file msvcp100.dll"="7/18/2016 2:40 PM, 421200 bytes, A Adds the file msvcr100.dll"="7/18/2016 2:40 PM, 773968 bytes, A Adds the file pcat_en.xml"="8/19/2019 10:40 AM, 55232 bytes, A Adds the file pcat_en_url.xml"="8/19/2019 10:40 AM, 1278 bytes, A Adds the file pcat_global-config.xml"="8/19/2019 10:40 AM, 1316 bytes, A Adds the file pcat_resources.rcc"="8/19/2019 10:40 AM, 2374134 bytes, A Adds the file pcat_widgets.xml"="8/19/2019 10:40 AM, 294401 bytes, A Adds the file PCSpeedLane.exe"="4/27/2018 4:42 PM, 2018336 bytes, A Adds the file PCSpeedLane.ico"="11/6/2017 11:42 AM, 100022 bytes, A Adds the file Qt5Core.dll"="7/18/2016 2:40 PM, 4091904 bytes, A Adds the file Qt5Gui.dll"="7/18/2016 2:40 PM, 4604416 bytes, A Adds the file Qt5Network.dll"="7/18/2016 2:40 PM, 839680 bytes, A Adds the file Qt5Sql.dll"="3/9/2016 12:38 PM, 151552 bytes, A Adds the file Qt5Widgets.dll"="7/18/2016 2:40 PM, 4484096 bytes, A Adds the file Qt5WinExtras.dll"="7/18/2016 2:40 PM, 230912 bytes, A Adds the file Qt5Xml.dll"="7/18/2016 2:40 PM, 152064 bytes, A Adds the file res.res"="3/30/2018 12:08 PM, 103788 bytes, A Adds the file Runapp.exe"="11/9/2017 4:14 PM, 113152 bytes, A Adds the file ssleay32.dll"="7/18/2016 2:40 PM, 269824 bytes, A Adds the file STAL.xml"="8/19/2019 10:40 AM, 1734 bytes, A Adds the file unins000.dat"="8/19/2019 10:40 AM, 183535 bytes, A Adds the file unins000.exe"="8/19/2019 10:40 AM, 1298753 bytes, A Adds the file wmi.exe"="4/27/2018 4:42 PM, 95064 bytes, A Adds the folder C:\Program Files (x86)\SpeedLane\PCSpeedLane\base Adds the file header120.bmp"="8/19/2019 10:38 AM, 123596 bytes, A Adds the file header144.bmp"="8/19/2019 10:38 AM, 190456 bytes, A Adds the file header96.bmp"="8/19/2019 10:38 AM, 86592 bytes, A Adds the file left120.bmp"="8/19/2019 10:38 AM, 154544 bytes, A Adds the file left144.bmp"="8/19/2019 10:38 AM, 154544 bytes, A Adds the file left96.bmp"="8/19/2019 10:38 AM, 154544 bytes, A Adds the file prodGuide.xml"="8/19/2019 10:40 AM, 1693 bytes, A Adds the folder C:\Program Files (x86)\SpeedLane\PCSpeedLane\Fonts Adds the file segoeui.ttf"="7/18/2016 2:40 PM, 517384 bytes, A Adds the file segoeuib.ttf"="7/18/2016 2:40 PM, 498124 bytes, A Adds the file segoeuii.ttf"="7/18/2016 2:40 PM, 386344 bytes, A Adds the file segoeuil.ttf"="7/18/2016 2:40 PM, 330908 bytes, A Adds the file segoeuiz.ttf"="7/18/2016 2:40 PM, 398976 bytes, A Adds the file seguisb.ttf"="7/18/2016 2:40 PM, 406192 bytes, A Adds the folder C:\Program Files (x86)\SpeedLane\PCSpeedLane\imageformats Adds the file qgif.dll"="7/18/2016 2:40 PM, 22016 bytes, A Adds the file qico.dll"="7/18/2016 2:40 PM, 22528 bytes, A Adds the folder C:\Program Files (x86)\SpeedLane\PCSpeedLane\platforms Adds the file qminimal.dll"="7/18/2016 2:40 PM, 25088 bytes, A Adds the file qwindows.dll"="7/18/2016 2:40 PM, 896000 bytes, A Adds the folder C:\ProgramData\DumpFiles Adds the folder C:\ProgramData\Errors Adds the file pcat_Crashes_2019-08-19_10h.txt"="8/19/2019 10:40 AM, 688 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpeedLane\PC SpeedLane Adds the file PC SpeedLane.lnk"="8/19/2019 10:40 AM, 1426 bytes, A Adds the file Support.url"="8/19/2019 10:40 AM, 157 bytes, A Adds the file Uninstall PC SpeedLane.lnk"="8/19/2019 10:40 AM, 1350 bytes, A Adds the file Web Help Center.url"="8/19/2019 10:40 AM, 153 bytes, A Adds the folder C:\ProgramData\SpeedLane\PCSpeedLane Adds the file payloadSetup.exe"="12/11/2018 3:12 PM, 8578080 bytes, A Adds the folder C:\ProgramData\SpeedLane\PCSpeedLane\ApplicationData Adds the file cfg.dat"="8/19/2019 10:40 AM, 58 bytes, A Adds the file firstscan.dat"="8/19/2019 10:45 AM, 110 bytes, A Adds the file previousissues.dat"="8/19/2019 10:45 AM, 7382 bytes, A Adds the file systemInfo.dat"="8/19/2019 10:40 AM, 386 bytes, A Adds the file user_session.dat"="8/19/2019 10:45 AM, 667 bytes, A Adds the folder C:\ProgramData\SpeedLane\PCSpeedLane\base Adds the file header120.bmp"="8/19/2019 10:38 AM, 123596 bytes, A Adds the file header144.bmp"="8/19/2019 10:38 AM, 190456 bytes, A Adds the file header96.bmp"="8/19/2019 10:38 AM, 86592 bytes, A Adds the file left120.bmp"="8/19/2019 10:38 AM, 154544 bytes, A Adds the file left144.bmp"="8/19/2019 10:38 AM, 154544 bytes, A Adds the file left96.bmp"="8/19/2019 10:38 AM, 154544 bytes, A Adds the file pcat_en.xml"="8/19/2019 10:40 AM, 55232 bytes, A Adds the file pcat_en_url.xml"="8/19/2019 10:40 AM, 1278 bytes, A Adds the file pcat_global-config.xml"="8/19/2019 10:40 AM, 1316 bytes, A Adds the file pcat_resources.rcc"="8/19/2019 10:40 AM, 2374134 bytes, A Adds the file pcat_widgets.xml"="8/19/2019 10:40 AM, 294401 bytes, A Adds the file pcspeedlane.zip"="8/19/2019 10:38 AM, 828209 bytes, A Adds the file prodGuide.xml"="8/19/2019 10:40 AM, 1693 bytes, A Adds the folder C:\Users\{username}\AppData\Local\PC SpeedLane-Logs Adds the file log_it.log"="8/19/2019 10:40 AM, 3570 bytes, A Adds the file payloadlog_it.log"="8/19/2019 10:40 AM, 2280 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar Adds the file PC SpeedLane.lnk"="8/19/2019 10:40 AM, 1426 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file PC SpeedLane.lnk"="8/19/2019 10:40 AM, 1402 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file SPLANE_{username}_PCSpeedLane_LG_DailyTask"="8/19/2019 10:40 AM, 3808 bytes, A Adds the file SPLANE_{username}_PCSpeedLane_LogonTask"="8/19/2019 10:40 AM, 3682 bytes, A Adds the file SPLANE_{username}_PCSpeedLane_RS_DailyTask"="8/19/2019 10:40 AM, 4062 bytes, A Adds the file SPLANE_{username}_PCSpeedLane_RS_WeeklyTask"="8/19/2019 10:40 AM, 4230 bytes, A Adds the file SPLANE_SPCTApp@Runner"="8/19/2019 10:40 AM, 2976 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PCSpeedLane_is1] "_QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\SpeedLane\PCSpeedLane\unins000.exe" /SILENT" "_UninstallString"="REG_SZ", ""C:\Program Files (x86)\SpeedLane\PCSpeedLane\unins000.exe"" "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\SpeedLane\PCSpeedLane\PCSpeedLane.exe" "DisplayName"="REG_SZ", "PC SpeedLane" "DisplayVersion"="REG_SZ", "2.0.7" "EstimatedSize"="REG_DWORD", 26707 "extLaunch"="REG_SZ", "Runapp.exe" "HelpLink"="REG_SZ", "http://www.pcspeedlane.com/support.html?lang=en" "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\SpeedLane\PCSpeedLane" "Inno Setup: Icon Group"="REG_SZ", "SpeedLane\PC SpeedLane" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.5 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20190819" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\SpeedLane\PCSpeedLane\" "InstallSource"="REG_SZ", "C:\ProgramData\SpeedLane\PCSpeedLane" "MajorVersion"="REG_DWORD", 2 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 0 "NoRepair"="REG_DWORD", 0 "Publisher"="REG_SZ", "SpeedLane" "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\SpeedLane\PCSpeedLane\unins000.exe" /SILENT" "RegCompany"="REG_SZ", "SpeedLane" "registryHive"="REG_SZ", "HKLM" "RegOwner"="REG_SZ", "SpeedLane" "SEPrefix"="REG_SZ", "SPLANE_" "Un_SetupName"="REG_SZ", "payloadSetup.exe" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\SpeedLane\PCSpeedLane\gouninst.exe" /keyprog=PCSpeedLane_is1" "URLInfoAbout"="REG_SZ", "http://www.pcspeedlane.com/support.html?lang=en" "USER_INST"="REG_SZ", "{username}" "VERSION_SFX"="REG_SZ", "EN" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SpeedLane\PCSpeedLane] "BROWSERNAME"="REG_SZ", "IE" "BROWSERVERSION"="REG_SZ", "8.0" "c2"="REG_SZ", "VersionA" "ConFilesURL"="REG_SZ", "http://dev.pcspeedcat.com/setupit/products/pcat/stubimages/pcspeedlane/" "ConfName"="REG_SZ", "downfilelist.txt" "defaultpostfix"="REG_SZ", "DE,DA" "ExitPop"="REG_SZ", "1" "ExternalAppInstalled"="REG_SZ", "" "InstallPath"="REG_SZ", "C:\Program Files (x86)\SpeedLane\PCSpeedLane" "IPADDRESS"="REG_SZ", "17.54.148.81" "lang_id"="REG_SZ", "0" "Language"="REG_SZ", "1033" "LOAD_LINK"="REG_SZ", "http://www.pcspeedlane.com/run/click/speedlaneweb/go/regc" "OptionalAddOnInstalled"="REG_SZ", "" "OSVERSION"="REG_SZ", "Windows XP" "ProdType"="REG_SZ", "pcat" "RemoveExternalApp"="REG_SZ", "0" "SendAnonInfo"="REG_SZ", "1" "SpeedLane-loadlink"="REG_SZ", "" "STUBDOWNLOADTIME"="REG_SZ", "2019-08-14 06:20:18.305838" "UNIQUEID"="REG_SZ", "0a162e29d19f2cc3" "USERCOUNTRY"="REG_SZ", "US" "USERLANGUAGE"="REG_SZ", "en" "Version"="REG_SZ", "2.0.7" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/19/19 Scan Time: 11:00 AM Log File: c9cead16-c25f-11e9-9268-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.12079 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236154 Threats Detected: 146 Threats Quarantined: 146 Time Elapsed: 10 min, 42 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\PCSpeedLane.exe, Quarantined, [709], [721759],1.0.12079 Module: 14 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\imageformats\qgif.dll, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\imageformats\qico.dll, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\platforms\qwindows.dll, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\icudt53.dll, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\icuin53.dll, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\icuuc53.dll, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\msvcp100.dll, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\msvcr100.dll, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\PCSpeedLane.exe, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\Qt5Core.dll, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\Qt5Gui.dll, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\Qt5Network.dll, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\Qt5Widgets.dll, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\Qt5Xml.dll, Quarantined, [709], [721759],1.0.12079 Registry Key: 17 PUP.Optional.SpeedLane, HKLM\SOFTWARE\WOW6432NODE\SpeedLane, Quarantined, [709], [721767],1.0.12079 PUP.Optional.SpeedLane, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\PCSpeedLane_is1, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\SPLANE_{username}_PCSpeedLane_LG_DailyTask, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{B710625B-1C4F-4A64-B2A9-4DCEE81D1DE9}, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{B710625B-1C4F-4A64-B2A9-4DCEE81D1DE9}, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\SPLANE_{username}_PCSpeedLane_LogonTask, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{985D992F-BADA-4702-BDFA-ED418147A53D}, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{985D992F-BADA-4702-BDFA-ED418147A53D}, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\SPLANE_{username}_PCSpeedLane_RS_DailyTask, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{C002A979-16FF-4520-AF89-812739A0FF93}, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{C002A979-16FF-4520-AF89-812739A0FF93}, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\SPLANE_{username}_PCSpeedLane_RS_WeeklyTask, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{BA2F27BE-0A65-4BD5-B225-FD2967E39E62}, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{BA2F27BE-0A65-4BD5-B225-FD2967E39E62}, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\SPLANE_SPCTApp@Runner, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{CF0A7ED0-9696-4FE2-B896-5F1D0122CC61}, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{CF0A7ED0-9696-4FE2-B896-5F1D0122CC61}, Quarantined, [709], [721759],1.0.12079 Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 18 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\imageformats, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\platforms, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\Fonts, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\base, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\PROGRAM FILES (X86)\SPEEDLANE, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpeedLane\PC SpeedLane, Quarantined, [709], [721761],1.0.12079 PUP.Optional.SpeedLane, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SPEEDLANE, Quarantined, [709], [721761],1.0.12079 PUP.Optional.SpeedLane, C:\ProgramData\SpeedLane\PCSpeedLane\ApplicationData\Registry\2019-08-19_10_58_51.474, Quarantined, [709], [721762],1.0.12079 PUP.Optional.SpeedLane, C:\ProgramData\SpeedLane\PCSpeedLane\ApplicationData\NetOpt\2019-08-19_10_58_51.474, Quarantined, [709], [721762],1.0.12079 PUP.Optional.SpeedLane, C:\ProgramData\SpeedLane\PCSpeedLane\ApplicationData\Registry, Quarantined, [709], [721762],1.0.12079 PUP.Optional.SpeedLane, C:\ProgramData\SpeedLane\PCSpeedLane\ApplicationData\NetOpt, Quarantined, [709], [721762],1.0.12079 PUP.Optional.SpeedLane, C:\ProgramData\SpeedLane\PCSpeedLane\ApplicationData, Quarantined, [709], [721762],1.0.12079 PUP.Optional.SpeedLane, C:\ProgramData\SpeedLane\PCSpeedLane\base, Quarantined, [709], [721762],1.0.12079 PUP.Optional.SpeedLane, C:\ProgramData\SpeedLane\PCSpeedLane, Quarantined, [709], [721762],1.0.12079 PUP.Optional.SpeedLane, C:\PROGRAMDATA\SPEEDLANE, Quarantined, [709], [721762],1.0.12079 PUP.Optional.SpeedLane, C:\USERS\{username}\APPDATA\LOCAL\PC SpeedLane-Logs, Quarantined, [709], [721764],1.0.12079 PUP.Optional.SpeedLane, C:\PROGRAMDATA\ERRORS, Quarantined, [709], [721760],1.0.12079 File: 96 PUP.Optional.SpeedLane, C:\USERS\PUBLIC\DESKTOP\PC SPEEDLANE.LNK, Quarantined, [709], [721763],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\base\header120.bmp, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\base\header144.bmp, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\base\header96.bmp, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\base\left120.bmp, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\base\left144.bmp, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\base\left96.bmp, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\base\prodGuide.xml, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\Fonts\segoeui.ttf, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\Fonts\segoeuib.ttf, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\Fonts\segoeuii.ttf, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\Fonts\segoeuil.ttf, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\Fonts\segoeuiz.ttf, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\Fonts\seguisb.ttf, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\imageformats\qgif.dll, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\imageformats\qico.dll, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\platforms\qminimal.dll, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\platforms\qwindows.dll, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\libssl32.dll, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\clogtsks.bat, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\EULA.txt, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\gouninst.exe, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\goup3.exe, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\icohelp.ico, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\icomaint.ico, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\icosucenter.ico, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\icudt53.dll, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\icuin53.dll, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\icuuc53.dll, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\imp.rtf, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\infoSys.ini, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\libeay32.dll, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\libEGL.dll, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\libGLESv2.dll, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\msvcp100.dll, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\msvcr100.dll, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\pcat_en.xml, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\pcat_en_url.xml, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\pcat_global-config.xml, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\pcat_resources.rcc, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\pcat_widgets.xml, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\PCSpeedLane.exe, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\PCSpeedLane.ico, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\Qt5Core.dll, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\Qt5Gui.dll, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\Qt5Network.dll, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\Qt5Sql.dll, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\Qt5Widgets.dll, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\Qt5WinExtras.dll, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\Qt5Xml.dll, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\res.res, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\Runapp.exe, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\ssleay32.dll, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\STAL.xml, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\unins000.dat, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\unins000.exe, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\Program Files (x86)\SpeedLane\PCSpeedLane\wmi.exe, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\WINDOWS\SYSTEM32\TASKS\SPLANE_{username}_PCSpeedLane_LG_DailyTask, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\WINDOWS\SYSTEM32\TASKS\SPLANE_{username}_PCSpeedLane_LogonTask, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\WINDOWS\SYSTEM32\TASKS\SPLANE_{username}_PCSpeedLane_RS_DailyTask, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\WINDOWS\SYSTEM32\TASKS\SPLANE_{username}_PCSpeedLane_RS_WeeklyTask, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\WINDOWS\SYSTEM32\TASKS\SPLANE_SPCTApp@Runner, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\PC SpeedLane.lnk, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\USERS\{username}\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\User Pinned\TaskBar\PC SpeedLane.lnk, Quarantined, [709], [721759],1.0.12079 PUP.Optional.SpeedLane, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpeedLane\PC SpeedLane\PC SpeedLane.lnk, Quarantined, [709], [721761],1.0.12079 PUP.Optional.SpeedLane, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpeedLane\PC SpeedLane\Support.url, Quarantined, [709], [721761],1.0.12079 PUP.Optional.SpeedLane, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpeedLane\PC SpeedLane\Uninstall PC SpeedLane.lnk, Quarantined, [709], [721761],1.0.12079 PUP.Optional.SpeedLane, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpeedLane\PC SpeedLane\Web Help Center.url, Quarantined, [709], [721761],1.0.12079 PUP.Optional.SpeedLane, C:\ProgramData\SpeedLane\PCSpeedLane\ApplicationData\NetOpt\2019-08-19_10_58_51.474\{89dbac0a-1aad-4ab4-aba5-e4dddc4ae7a2}.dat, Quarantined, [709], [721762],1.0.12079 PUP.Optional.SpeedLane, C:\ProgramData\SpeedLane\PCSpeedLane\ApplicationData\Registry\2019-08-19_10_58_51.474\{89dbac0a-1aad-4ab4-aba5-e4dddc4ae7a2}.reg, Quarantined, [709], [721762],1.0.12079 PUP.Optional.SpeedLane, C:\ProgramData\SpeedLane\PCSpeedLane\ApplicationData\cfg.dat, Quarantined, [709], [721762],1.0.12079 PUP.Optional.SpeedLane, C:\ProgramData\SpeedLane\PCSpeedLane\ApplicationData\firstscan.dat, Quarantined, [709], [721762],1.0.12079 PUP.Optional.SpeedLane, C:\ProgramData\SpeedLane\PCSpeedLane\ApplicationData\previousissues.dat, Quarantined, [709], [721762],1.0.12079 PUP.Optional.SpeedLane, C:\ProgramData\SpeedLane\PCSpeedLane\ApplicationData\systemInfo.dat, Quarantined, [709], [721762],1.0.12079 PUP.Optional.SpeedLane, C:\ProgramData\SpeedLane\PCSpeedLane\ApplicationData\user_session.dat, Quarantined, [709], [721762],1.0.12079 PUP.Optional.SpeedLane, C:\ProgramData\SpeedLane\PCSpeedLane\base\header120.bmp, Quarantined, [709], [721762],1.0.12079 PUP.Optional.SpeedLane, C:\ProgramData\SpeedLane\PCSpeedLane\base\header144.bmp, Quarantined, [709], [721762],1.0.12079 PUP.Optional.SpeedLane, C:\ProgramData\SpeedLane\PCSpeedLane\base\header96.bmp, Quarantined, [709], [721762],1.0.12079 PUP.Optional.SpeedLane, C:\ProgramData\SpeedLane\PCSpeedLane\base\left120.bmp, Quarantined, [709], [721762],1.0.12079 PUP.Optional.SpeedLane, C:\ProgramData\SpeedLane\PCSpeedLane\base\left144.bmp, Quarantined, [709], [721762],1.0.12079 PUP.Optional.SpeedLane, C:\ProgramData\SpeedLane\PCSpeedLane\base\left96.bmp, Quarantined, [709], [721762],1.0.12079 PUP.Optional.SpeedLane, C:\ProgramData\SpeedLane\PCSpeedLane\base\pcat_en.xml, Quarantined, [709], [721762],1.0.12079 PUP.Optional.SpeedLane, C:\ProgramData\SpeedLane\PCSpeedLane\base\pcat_en_url.xml, Quarantined, [709], [721762],1.0.12079 PUP.Optional.SpeedLane, C:\ProgramData\SpeedLane\PCSpeedLane\base\pcat_global-config.xml, Quarantined, [709], [721762],1.0.12079 PUP.Optional.SpeedLane, C:\ProgramData\SpeedLane\PCSpeedLane\base\pcat_resources.rcc, Quarantined, [709], [721762],1.0.12079 PUP.Optional.SpeedLane, C:\ProgramData\SpeedLane\PCSpeedLane\base\pcat_widgets.xml, Quarantined, [709], [721762],1.0.12079 PUP.Optional.SpeedLane, C:\ProgramData\SpeedLane\PCSpeedLane\base\pcspeedlane.zip, Quarantined, [709], [721762],1.0.12079 PUP.Optional.SpeedLane, C:\ProgramData\SpeedLane\PCSpeedLane\base\prodGuide.xml, Quarantined, [709], [721762],1.0.12079 PUP.Optional.SpeedLane, C:\ProgramData\SpeedLane\PCSpeedLane\payloadSetup.exe, Quarantined, [709], [721762],1.0.12079 PUP.Optional.SpeedLane, C:\Users\{username}\AppData\Local\PC SpeedLane-Logs\log_it.log, Quarantined, [709], [721764],1.0.12079 PUP.Optional.SpeedLane, C:\Users\{username}\AppData\Local\PC SpeedLane-Logs\payloadlog_it.log, Quarantined, [709], [721764],1.0.12079 PUP.Optional.SpeedLane, C:\PROGRAMDATA\ERRORS\PCAT_CRASHES_2019-08-19_10H.TXT, Quarantined, [709], [721760],1.0.12079 PUP.Optional.SpeedLane, C:\USERS\{username}\APPDATA\LOCAL\TEMP\IS-2033S.TMP\TEMPORARY\SETUPIT.EXE, Quarantined, [709], [721758],1.0.12079 PUP.Optional.PCSpeedCat, C:\USERS\{username}\APPDATA\LOCAL\TEMP\IS-2033S.TMP\DOWNLOADED\PAYLOADSETUP.EXE, Quarantined, [1555], [690002],1.0.12079 PUP.Optional.SpeedLane, C:\USERS\{username}\APPDATA\LOCAL\TEMP\IS-2033S.TMP\PCSPEEDLANE.ZIP, Quarantined, [709], [721758],1.0.12079 PUP.Optional.SpeedLane, C:\USERS\{username}\DESKTOP\SETUP.EXE, Quarantined, [709], [721758],1.0.12079 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  6. What is MovieBox Default Search?The Malwarebytes research team has determined that MovieBox Default Search is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one is a search hijacker and uses web push notifications.How do I know if my computer is affected by MovieBox Default Search?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and these changed settings:How did MovieBox Default Search get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove MovieBox Default Search?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of MovieBox Default Search? No, Malwarebytes removes MovieBox Default Search completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the MovieBox Default Search hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.moviebox-online.com/?q={searchTerms}&publisher=movie-box&barcodeid=521920000000000 CHR DefaultSearchKeyword: Default -> MovieBox Search CHR DefaultSuggestURL: Default -> hxxps://api.moviebox-online.com/suggest/get?q={searchTerms} CHR Extension: (MovieBox Search) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh [2019-08-16] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0 Adds the file closer.js"="8/7/2018 11:31 AM, 15 bytes, A Adds the file manifest.json"="8/16/2019 8:59 AM, 2231 bytes, A Adds the file tab.html"="8/7/2018 11:31 AM, 165 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0\_metadata Adds the file computed_hashes.json"="8/16/2019 8:59 AM, 794 bytes, A Adds the file verified_contents.json"="4/10/2019 2:34 PM, 2253 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0\images\icons Adds the file 128x128.png"="8/16/2019 8:59 AM, 13201 bytes, A Adds the file 16x16.png"="8/16/2019 8:59 AM, 698 bytes, A Adds the file 32x32.png"="8/16/2019 8:59 AM, 1943 bytes, A Adds the file 64x64.png"="8/16/2019 8:59 AM, 5371 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0\scripts Adds the file background.js"="4/10/2019 2:40 PM, 31384 bytes, A Adds the file sitecontent.js"="8/7/2018 11:31 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_genhcdlnoedbdchadffldpoabfimgfgh Adds the file MovieBox Default Search.ico"="8/16/2019 8:59 AM, 199356 bytes, A Adds the file MovieBox Default Search.ico.md5"="8/16/2019 8:59 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "genhcdlnoedbdchadffldpoabfimgfgh"="REG_SZ", "542CDF404467B4047748BD3D31F7A536A3ACC9FF6CDF9F6BDA669E600101A454" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/16/19 Scan Time: 9:13 AM Log File: 5da85f36-bff5-11e9-b938-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.12037 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236317 Threats Detected: 22 Threats Quarantined: 22 Time Elapsed: 6 min, 8 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.MovieBox, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|genhcdlnoedbdchadffldpoabfimgfgh, Quarantined, [338], [672265],1.0.12037 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 6 PUP.Optional.MovieBox, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0\images\icons, Quarantined, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0\_metadata, Quarantined, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0\scripts, Quarantined, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0\images, Quarantined, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0, Quarantined, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GENHCDLNOEDBDCHADFFLDPOABFIMGFGH, Quarantined, [338], [672265],1.0.12037 File: 15 PUP.Optional.MovieBox, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GENHCDLNOEDBDCHADFFLDPOABFIMGFGH\2.1.1_0\MANIFEST.JSON, Quarantined, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0\images\icons\128x128.png, Quarantined, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0\images\icons\16x16.png, Quarantined, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0\images\icons\32x32.png, Quarantined, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0\images\icons\64x64.png, Quarantined, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0\scripts\background.js, Quarantined, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0\scripts\sitecontent.js, Quarantined, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0\_metadata\computed_hashes.json, Quarantined, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0\_metadata\verified_contents.json, Quarantined, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0\closer.js, Quarantined, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0\tab.html, Quarantined, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [338], [672264],1.0.12037 PUP.Optional.MovieBox, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [338], [672264],1.0.12037 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  7. What is MergeDocsNow?The Malwarebytes research team has determined that MergeDocsNow is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.MergeDocsNow is a member of the Mindspark/Ask family now known as IAC Applications.How do I know if my computer is affected by MergeDocsNow?You may see these browser extensions/add-ons:these warnings during install:You may see this entry in your list of installed software:and this new homepage in the affected browsers:How did MergeDocsNow get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website.How do I remove MergeDocsNow?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of MergeDocsNow? No, Malwarebytes' Anti-Malware removes MergeDocsNow completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the MergeDocsNow hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for expertsPossible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/mergedocsnow/ttab02/index.html?n={n1}&p2={p2}&ptb={ptb}&coid={coid} FF HomepageOverride: Mozilla\Firefox\Profiles\{profile}.default -> Enabled: _hxMembers_@free.mergedocsnow.com FF NewTabOverride: Mozilla\Firefox\Profiles\{profile}.default -> Enabled: _hxMembers_@free.mergedocsnow.com FF Extension: (MergeDocsNow) - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_hxMembers_@free.mergedocsnow.com.xpi [2019-08-15] [UpdateUrl:hxxps:\/\/updates.tb.ask.com\/updateXpi.json?id=230578682&version=8.914.15.59070&track=TTAB02&trackRevision=1&fromId=_hxMembers_%40free.mergedocsnow.com&isBridgeExtension=false] CHR NewTab: Default -> Active:"chrome-extension://picpadgnaiehfpanhlnlejeelgohjpid/ntp.html" CHR Extension: (MergeDocsNow) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid [2019-08-15] C:\Users\{username}\AppData\Local\MergeDocsNowTooltab MergeDocsNow Internet Explorer Homepage and New Tab (HKCU\...\MergeDocsNowTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0 Adds the file manifest.json"="8/15/2019 9:19 AM, 2639 bytes, A Adds the file ntp.html"="6/6/2019 6:15 PM, 1423 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\_locales\en Adds the file messages.json"="8/15/2019 9:19 AM, 199 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\_metadata Adds the file computed_hashes.json"="8/15/2019 9:19 AM, 5503 bytes, A Adds the file verified_contents.json"="6/6/2019 6:15 PM, 5999 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\config Adds the file config.json"="6/6/2019 6:15 PM, 1483 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\icons Adds the file icon128.png"="8/15/2019 9:19 AM, 11686 bytes, A Adds the file icon16.png"="6/6/2019 6:15 PM, 1466 bytes, A Adds the file icon19disabled.png"="6/6/2019 6:15 PM, 1441 bytes, A Adds the file icon19on.png"="8/15/2019 9:19 AM, 664 bytes, A Adds the file icon48.png"="8/15/2019 9:19 AM, 2844 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js Adds the file ajax.js"="6/6/2019 6:15 PM, 3263 bytes, A Adds the file babAPI.js"="6/6/2019 6:15 PM, 5703 bytes, A Adds the file babClickHandler.js"="6/6/2019 6:15 PM, 11430 bytes, A Adds the file babContentScript.js"="6/6/2019 6:15 PM, 3749 bytes, A Adds the file babContentScriptAPI.js"="6/6/2019 6:15 PM, 9842 bytes, A Adds the file background.js"="6/6/2019 6:15 PM, 18011 bytes, A Adds the file browserUtils.js"="6/6/2019 6:15 PM, 1536 bytes, A Adds the file chrome.js"="6/6/2019 6:15 PM, 146 bytes, A Adds the file contentScriptConnectionManager.js"="6/6/2019 6:15 PM, 22629 bytes, A Adds the file dateTimeUtils.js"="6/6/2019 6:15 PM, 1213 bytes, A Adds the file dlp.js"="6/6/2019 6:15 PM, 5783 bytes, A Adds the file dlpHelper.js"="6/6/2019 6:15 PM, 1835 bytes, A Adds the file extensionDetect.js"="6/6/2019 6:15 PM, 4354 bytes, A Adds the file index.js"="6/6/2019 6:15 PM, 49 bytes, A Adds the file localStorageContentScript.js"="6/6/2019 6:15 PM, 2236 bytes, A Adds the file logger.js"="6/6/2019 6:15 PM, 531 bytes, A Adds the file meta.js"="6/6/2019 6:15 PM, 1631 bytes, A Adds the file offerService.js"="6/6/2019 6:15 PM, 16953 bytes, A Adds the file pageUtils.js"="6/6/2019 6:15 PM, 3154 bytes, A Adds the file PartnerId.js"="6/6/2019 6:15 PM, 16402 bytes, A Adds the file polyfill.js"="6/6/2019 6:15 PM, 875 bytes, A Adds the file product.js"="6/6/2019 6:15 PM, 7837 bytes, A Adds the file remoteConfigLoader.js"="6/6/2019 6:15 PM, 5053 bytes, A Adds the file splashPageRedirectHandler.js"="6/6/2019 6:15 PM, 2821 bytes, A Adds the file storageUtils.js"="6/6/2019 6:15 PM, 1718 bytes, A Adds the file TemplateParser.js"="6/6/2019 6:15 PM, 3153 bytes, A Adds the file ul.js"="6/6/2019 6:15 PM, 3969 bytes, A Adds the file urlFragmentActions.js"="6/6/2019 6:15 PM, 2450 bytes, A Adds the file urlUtils.js"="6/6/2019 6:15 PM, 5906 bytes, A Adds the file util.js"="6/6/2019 6:15 PM, 2779 bytes, A Adds the file webtooltabAPI.js"="6/6/2019 6:15 PM, 9768 bytes, A Adds the file webTooltabAPIProxy.js"="6/6/2019 6:15 PM, 8765 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\picpadgnaiehfpanhlnlejeelgohjpid Adds the file 000003.log"="8/15/2019 9:19 AM, 4966 bytes, A Adds the file CURRENT"="8/15/2019 9:19 AM, 16 bytes, A Adds the file LOCK"="8/15/2019 9:19 AM, 0 bytes, A Adds the file LOG"="8/15/2019 9:19 AM, 185 bytes, A Adds the file MANIFEST-000001"="8/15/2019 9:19 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\MergeDocsNowTooltab Adds the file TooltabExtension.dll"="3/8/2019 10:49 PM, 266864 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _hxMembers_@free.mergedocsnow.com.xpi"="8/15/2019 9:21 AM, 87849 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "picpadgnaiehfpanhlnlejeelgohjpid"="REG_SZ", "79A10BF7C2918C860F265A98780A0B3C5645E90D1F333F2B48ACA7A38CA72A35" [HKEY_CURRENT_USER\Software\MergeDocsNow] "Start Page"="REG_SZ", "http://hp.myway.com/mergedocsnow/ttab02/index.html?n={n1}&p2={p2}&ptb={ptb}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "https://@{downloadDomain}.dl.myway.com/uninstall.jhtml?c={ptb}&ptb={p2}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://hp.myway.com/mergedocsnow/ttab02/index.html?n={n1}&p2={p2}&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\MergeDocsNowTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "MergeDocsNow Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\MergeDocsNowTooltab\TooltabExtension.dll" U uninstall:MergeDocsNow" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/15/19 Scan Time: 9:27 AM Log File: 34a0b98e-bf2e-11e9-8304-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.12017 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236478 Threats Detected: 70 Threats Quarantined: 70 Time Elapsed: 9 min, 6 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\MergeDocsNowTooltab\TooltabExtension.dll, Quarantined, [1768], [356944],1.0.12017 Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\MergeDocsNowTooltab Uninstall Internet Explorer, Quarantined, [1768], [356944],1.0.12017 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MergeDocsNow, Quarantined, [1768], [444113],1.0.12017 Registry Value: 3 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MergeDocsNow|START PAGE, Quarantined, [1768], [444113],1.0.12017 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\MergeDocsNowTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, [642], [352442],1.0.12017 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|picpadgnaiehfpanhlnlejeelgohjpid, Quarantined, [1768], [443121],1.0.12017 Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [642], [293497],1.0.12017 Data Stream: 0 (No malicious items detected) Folder: 10 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\MergeDocsNowTooltab, Quarantined, [1768], [356944],1.0.12017 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\picpadgnaiehfpanhlnlejeelgohjpid, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\_locales\en, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\_metadata, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\_locales, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\config, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\icons, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PICPADGNAIEHFPANHLNLEJEELGOHJPID, Quarantined, [1768], [443121],1.0.12017 File: 53 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\MergeDocsNowTooltab\TooltabExtension.dll, Quarantined, [1768], [356944],1.0.12017 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\_hxMembers_@free.mergedocsnow.com.xpi, Quarantined, [1768], [457930],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\picpadgnaiehfpanhlnlejeelgohjpid\000003.log, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\picpadgnaiehfpanhlnlejeelgohjpid\CURRENT, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\picpadgnaiehfpanhlnlejeelgohjpid\LOCK, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\picpadgnaiehfpanhlnlejeelgohjpid\LOG, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\picpadgnaiehfpanhlnlejeelgohjpid\MANIFEST-000001, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PICPADGNAIEHFPANHLNLEJEELGOHJPID\13.882.15.38113_0\MANIFEST.JSON, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\config\config.json, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\icons\icon128.png, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\icons\icon16.png, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\icons\icon19disabled.png, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\icons\icon19on.png, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\icons\icon48.png, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\localStorageContentScript.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\ajax.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\babAPI.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\babClickHandler.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\babContentScript.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\babContentScriptAPI.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\background.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\browserUtils.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\chrome.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\contentScriptConnectionManager.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\dateTimeUtils.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\dlp.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\dlpHelper.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\extensionDetect.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\index.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\logger.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\meta.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\offerService.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\pageUtils.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\PartnerId.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\polyfill.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\product.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\remoteConfigLoader.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\splashPageRedirectHandler.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\storageUtils.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\TemplateParser.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\ul.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\urlFragmentActions.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\urlUtils.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\util.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\webtooltabAPI.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\webTooltabAPIProxy.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\_locales\en\messages.json, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\_metadata\computed_hashes.json, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\_metadata\verified_contents.json, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\ntp.html, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\MERGEDOCSNOW.EXE, Quarantined, [642], [365288],1.0.12017 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  8. What is PDFPros?The Malwarebytes research team has determined that PDFPros is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one is a search hijacker and uses web push notifications.How do I know if my computer is affected by PDFPros?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and these changed settings:How did PDFPros get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove PDFPros?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of PDFPros? No, Malwarebytes removes PDFPros completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the PDFPros hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.pdfpros.com/?q={searchTerms}&publisher=pdfpros&barcodeid=544300000000000 CHR DefaultSearchKeyword: Default -> PDFPros CHR DefaultSuggestURL: Default -> hxxps://api.pdfpros.com/suggest/get?q={searchTerms} CHR Extension: (PDFPros) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg [2019-08-14] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0 Adds the file closer.js"="9/13/2017 11:07 AM, 15 bytes, A Adds the file manifest.json"="8/14/2019 9:08 AM, 2242 bytes, A Adds the file popup.html"="12/31/2018 1:38 PM, 1141 bytes, A Adds the file tab.html"="9/13/2017 11:07 AM, 165 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\_metadata Adds the file computed_hashes.json"="8/14/2019 9:08 AM, 2561 bytes, A Adds the file verified_contents.json"="1/15/2019 8:07 AM, 2947 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\images Adds the file how-1.png"="12/31/2018 1:38 PM, 2862 bytes, A Adds the file how-2.png"="12/31/2018 1:38 PM, 3247 bytes, A Adds the file logo-small.png"="12/31/2018 1:38 PM, 1109 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\images\icons Adds the file 128x128.png"="8/14/2019 9:08 AM, 1621 bytes, A Adds the file 16x16.png"="8/14/2019 9:08 AM, 527 bytes, A Adds the file 64x64.png"="8/14/2019 9:08 AM, 1281 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\scripts Adds the file background.js"="1/17/2019 2:22 PM, 31608 bytes, A Adds the file jquery-3.3.1.min.js"="12/31/2018 1:38 PM, 86927 bytes, A Adds the file popup.js"="12/31/2018 1:38 PM, 568 bytes, A Adds the file sitecontent.js"="12/31/2018 1:38 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\styles Adds the file popup.css"="12/31/2018 1:38 PM, 1270 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_dfhbfihajlehdolghpaempnfihmeopeg Adds the file PDFPros.ico"="8/14/2019 9:08 AM, 159726 bytes, A Adds the file PDFPros.ico.md5"="8/14/2019 9:08 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "dfhbfihajlehdolghpaempnfihmeopeg"="REG_SZ", "BB9973E71C0982B74DBE741630C725A42E874243EFAF7F166EF9F2C786D7522E" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/14/19 Scan Time: 9:18 AM Log File: a5ca0f46-be63-11e9-9c1a-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.11999 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236355 Threats Detected: 29 Threats Quarantined: 29 Time Elapsed: 5 min, 48 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.PDFPros, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|dfhbfihajlehdolghpaempnfihmeopeg, Quarantined, [348], [716810],1.0.11999 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\images\icons, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\_metadata, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\scripts, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\images, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\styles, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DFHBFIHAJLEHDOLGHPAEMPNFIHMEOPEG, Quarantined, [348], [716810],1.0.11999 File: 21 PUP.Optional.PDFPros, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DFHBFIHAJLEHDOLGHPAEMPNFIHMEOPEG\2.1.0_0\MANIFEST.JSON, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\images\icons\128x128.png, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\images\icons\16x16.png, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\images\icons\64x64.png, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\images\how-1.png, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\images\how-2.png, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\images\logo-small.png, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\scripts\background.js, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\scripts\jquery-3.3.1.min.js, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\scripts\popup.js, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\scripts\sitecontent.js, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\styles\popup.css, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\_metadata\computed_hashes.json, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\_metadata\verified_contents.json, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\closer.js, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\popup.html, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\tab.html, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [348], [716808],1.0.11999 PUP.Optional.PDFPros, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [348], [716808],1.0.11999 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  9. What is SPP App?The Malwarebytes research team has determined that SPP App is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one sets itself as the default search provider and hijacks searches on major search sites.How do I know if my computer is affected by SPP App?You may see this entry in your list of installed Chrome extensions:these warnings during install:and this changed setting:How did SPP App get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove SPP App?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of SPP App? No, Malwarebytes removes SPP App completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the SPP App hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://searchprivacyplus.com/results.php?p=9040&v=400&q={searchTerms}&source=default CHR DefaultSearchKeyword: Default -> Secure CHR DefaultSuggestURL: Default -> hxxps://searchprivacyplus.com/gjson.php?q={searchTerms} CHR Extension: (Secure) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcfgnljnhnpgofnhgifaanbjligjlpm [2019-08-13] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcfgnljnhnpgofnhgifaanbjligjlpm\2.2.2.1_0 Adds the file background.js"="8/9/2019 10:53 PM, 9104 bytes, A Adds the file manifest.json"="8/13/2019 9:07 AM, 1969 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcfgnljnhnpgofnhgifaanbjligjlpm\2.2.2.1_0\_metadata Adds the file computed_hashes.json"="8/13/2019 9:07 AM, 451 bytes, A Adds the file verified_contents.json"="8/9/2019 10:59 PM, 1651 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcfgnljnhnpgofnhgifaanbjligjlpm\2.2.2.1_0\icons Adds the file icon128.png"="8/13/2019 9:07 AM, 2188 bytes, A Adds the file icon48.png"="8/13/2019 9:07 AM, 253 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jfcfgnljnhnpgofnhgifaanbjligjlpm Adds the file 000003.log"="8/13/2019 9:10 AM, 366 bytes, A Adds the file CURRENT"="8/13/2019 9:07 AM, 16 bytes, A Adds the file LOCK"="8/13/2019 9:07 AM, 0 bytes, A Adds the file LOG"="8/13/2019 9:07 AM, 184 bytes, A Adds the file MANIFEST-000001"="8/13/2019 9:07 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_jfcfgnljnhnpgofnhgifaanbjligjlpm Adds the file SPP App.ico"="8/13/2019 9:08 AM, 162813 bytes, A Adds the file SPP App.ico.md5"="8/13/2019 9:08 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "jfcfgnljnhnpgofnhgifaanbjligjlpm"="REG_SZ", "19564D7F704EB0C9FC27BE120247CDE951C365082614BF2A8B3F16752DC67AD6" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/13/19 Scan Time: 9:22 AM Log File: 2a57ba84-bd9b-11e9-b19a-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.11981 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236682 Threats Detected: 21 Threats Quarantined: 21 Time Elapsed: 7 min, 34 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|jfcfgnljnhnpgofnhgifaanbjligjlpm, Quarantined, [374], [460702],1.0.11981 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 5 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\jfcfgnljnhnpgofnhgifaanbjligjlpm, Quarantined, [374], [460702],1.0.11981 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcfgnljnhnpgofnhgifaanbjligjlpm\2.2.2.1_0\_metadata, Quarantined, [374], [460702],1.0.11981 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcfgnljnhnpgofnhgifaanbjligjlpm\2.2.2.1_0\icons, Quarantined, [374], [460702],1.0.11981 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcfgnljnhnpgofnhgifaanbjligjlpm\2.2.2.1_0, Quarantined, [374], [460702],1.0.11981 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JFCFGNLJNHNPGOFNHGIFAANBJLIGJLPM, Quarantined, [374], [460702],1.0.11981 File: 15 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jfcfgnljnhnpgofnhgifaanbjligjlpm\000003.log, Quarantined, [374], [460702],1.0.11981 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jfcfgnljnhnpgofnhgifaanbjligjlpm\CURRENT, Quarantined, [374], [460702],1.0.11981 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jfcfgnljnhnpgofnhgifaanbjligjlpm\LOCK, Quarantined, [374], [460702],1.0.11981 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jfcfgnljnhnpgofnhgifaanbjligjlpm\LOG, Quarantined, [374], [460702],1.0.11981 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jfcfgnljnhnpgofnhgifaanbjligjlpm\MANIFEST-000001, Quarantined, [374], [460702],1.0.11981 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [374], [460702],1.0.11981 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [374], [460702],1.0.11981 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JFCFGNLJNHNPGOFNHGIFAANBJLIGJLPM\2.2.2.1_0\MANIFEST.JSON, Quarantined, [374], [460702],1.0.11981 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcfgnljnhnpgofnhgifaanbjligjlpm\2.2.2.1_0\icons\icon128.png, Quarantined, [374], [460702],1.0.11981 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcfgnljnhnpgofnhgifaanbjligjlpm\2.2.2.1_0\icons\icon48.png, Quarantined, [374], [460702],1.0.11981 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcfgnljnhnpgofnhgifaanbjligjlpm\2.2.2.1_0\_metadata\computed_hashes.json, Quarantined, [374], [460702],1.0.11981 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcfgnljnhnpgofnhgifaanbjligjlpm\2.2.2.1_0\_metadata\verified_contents.json, Quarantined, [374], [460702],1.0.11981 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcfgnljnhnpgofnhgifaanbjligjlpm\2.2.2.1_0\background.js, Quarantined, [374], [460702],1.0.11981 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [374], [570730],1.0.11981 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [374], [570730],1.0.11981 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  10. What is Xtron Cleanup Pro?The Malwarebytes research team has determined that Xtron Cleanup Pro is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with Xtron Cleanup Pro?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see these warnings during install:and these screens during "operations":You may see this entry in your list of installed programs:and this task in your list of Scheduled Tasks:How did Xtron Cleanup Pro get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website.How do I remove Xtron Cleanup Pro?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Xtron Cleanup Pro? No, Malwarebytes removes Xtron Cleanup Pro completely. This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the Xtron Cleanup Pro installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: (NETCOM PC Utilities -> ) C:\Program Files\Xtron-Cleanup-Pro_{username}\rgcl.exe Task: {111B3651-C6B0-45C9-96B7-E0D081F3ABF1} - System32\Tasks\Xtron-Cleanup-Pro_Logon => C:\Program Files\Xtron-Cleanup-Pro_{username}\rgcl.exe [2037936 2019-07-29] (NETCOM PC Utilities -> ) C:\Users\{username}\AppData\Roaming\Xtron-Cleanup-Pro_{username} C:\Windows\System32\Tasks\Xtron-Cleanup-Pro_Logon C:\Users\Public\Desktop\Xtron-Cleanup-Pro.lnk C:\ProgramData\Xtron-Cleanup-Pro_{username} C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Xtron-Cleanup-Pro_{username} C:\Program Files\Xtron-Cleanup-Pro_{username} Xtron-Cleanup-Pro (HKLM\...\{E2C70A85-8F78-4434-B5D7-3EB8102FB5ED}_is1) (Version: 1.0.0.0 - ) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\Xtron-Cleanup-Pro_{username} Adds the file application.ico"="6/10/2019 11:42 AM, 185552 bytes, A Adds the file danish_iss.ini"="5/29/2019 3:54 PM, 2402 bytes, A Adds the file Dutch_iss.ini"="5/29/2019 3:54 PM, 2600 bytes, A Adds the file english_iss.ini"="5/29/2019 3:54 PM, 2256 bytes, A Adds the file finish_iss.ini"="5/29/2019 3:54 PM, 2368 bytes, A Adds the file French_iss.ini"="5/29/2019 3:54 PM, 2792 bytes, A Adds the file german_iss.ini"="5/29/2019 3:54 PM, 2658 bytes, A Adds the file HtmlRenderer.dll"="7/29/2019 4:50 PM, 235184 bytes, A Adds the file HtmlRenderer.WinForms.dll"="7/29/2019 4:50 PM, 73904 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="7/29/2019 4:50 PM, 62640 bytes, A Adds the file Interop.SHDocVw.dll"="7/29/2019 4:50 PM, 177328 bytes, A Adds the file italian_iss.ini"="5/29/2019 3:54 PM, 2532 bytes, A Adds the file japanese_iss.ini"="5/29/2019 3:54 PM, 1844 bytes, A Adds the file langs.db"="6/24/2019 5:44 PM, 486400 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="7/29/2019 4:50 PM, 184496 bytes, A Adds the file NAudio.dll"="7/29/2019 4:50 PM, 484528 bytes, A Adds the file Newtonsoft.Json.dll"="7/29/2019 4:50 PM, 474288 bytes, A Adds the file norwegian_iss.ini"="5/29/2019 3:54 PM, 2358 bytes, A Adds the file portuguese_iss.ini"="5/29/2019 3:54 PM, 2424 bytes, A Adds the file rgcl.exe"="7/29/2019 4:50 PM, 2037936 bytes, A Adds the file rgcl.exe.config"="7/29/2019 4:50 PM, 4601 bytes, A Adds the file rpics.dll"="7/29/2019 4:50 PM, 787120 bytes, A Adds the file russian_iss.ini"="5/29/2019 3:54 PM, 2494 bytes, A Adds the file spanish_iss.ini"="5/29/2019 3:54 PM, 2548 bytes, A Adds the file swedish_iss.ini"="5/29/2019 3:54 PM, 2270 bytes, A Adds the file System.Data.SQLite.DLL"="7/29/2019 4:50 PM, 304304 bytes, A Adds the file TAFactory.IconPack.dll"="7/29/2019 4:50 PM, 50352 bytes, A Adds the file unins000.dat"="8/12/2019 8:47 AM, 75329 bytes, A Adds the file unins000.exe"="8/12/2019 8:47 AM, 1371824 bytes, A Adds the file unins000.msg"="8/12/2019 8:47 AM, 22701 bytes, A Adds the folder C:\Program Files\Xtron-Cleanup-Pro_{username}\x64 Adds the file SQLite.Interop.dll"="7/29/2019 4:50 PM, 1189040 bytes, A Adds the folder C:\Program Files\Xtron-Cleanup-Pro_{username}\x86 Adds the file SQLite.Interop.dll"="7/29/2019 4:50 PM, 868016 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Xtron-Cleanup-Pro_{username} Adds the file Buy Xtron-Cleanup-Pro.lnk"="8/12/2019 8:47 AM, 951 bytes, A Adds the file Uninstall Xtron-Cleanup-Pro.lnk"="8/12/2019 8:47 AM, 963 bytes, A Adds the file Xtron-Cleanup-Pro.lnk"="8/12/2019 8:47 AM, 939 bytes, A Adds the folder C:\ProgramData\Xtron-Cleanup-Pro_{username} Adds the file mdb.db"="6/25/2019 6:28 PM, 6643712 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Xtron-Cleanup-Pro_{username} Adds the file aptnotfr.xml"="8/12/2019 8:48 AM, 8512 bytes, A Adds the file Errorlog.txt"="8/12/2019 8:54 AM, 30924 bytes, A Adds the file exlist.bin"="8/12/2019 8:48 AM, 257909 bytes, A Adds the file res.xml"="8/12/2019 8:53 AM, 29152 bytes, A Adds the file upt.xml"="8/12/2019 8:48 AM, 25772 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Xtron-Cleanup-Pro_{username}\smico In the existing folder C:\Users\Public\Desktop Adds the file Xtron-Cleanup-Pro.lnk"="8/12/2019 8:47 AM, 921 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Xtron-Cleanup-Pro_Logon"="8/12/2019 8:48 AM, 3064 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E2C70A85-8F78-4434-B5D7-3EB8102FB5ED}_is1] "DisplayIcon"="REG_SZ", "C:\Program Files\Xtron-Cleanup-Pro_{username}\rgcl.exe" "DisplayName"="REG_SZ", "Xtron-Cleanup-Pro" "DisplayVersion"="REG_SZ", "1.0.0.0" "EstimatedSize"="REG_DWORD", 16054 "Inno Setup: App Path"="REG_SZ", "C:\Program Files\Xtron-Cleanup-Pro_{username}" "Inno Setup: Icon Group"="REG_SZ", "Xtron-Cleanup-Pro_{username}" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.8 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20190812" "InstallLocation"="REG_SZ", "C:\Program Files\Xtron-Cleanup-Pro_{username}\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "QuietUninstallString"="REG_SZ", ""C:\Program Files\Xtron-Cleanup-Pro_{username}\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files\Xtron-Cleanup-Pro_{username}\unins000.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\WHRyb24tQ2xlYW51cC1Qcm8=\ACT] "data"="REG_BINARY, ............................................................................................ [HKEY_LOCAL_MACHINE\SOFTWARE\xsc-pr] "btnid"="REG_SZ", "" "country"="REG_SZ", "us" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "pxl"="REG_SZ", "" "referUrl"="REG_SZ", "" "TELNO"="REG_SZ", "" "utm_campaign"="REG_SZ", "" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "" "utm_source"="REG_SZ", "" "x-at"="REG_SZ", "" "x-context"="REG_SZ", "" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Xtron-Cleanup-Pro_{username}] "affired"="REG_DWORD", 1 "afterInstallUrl"="REG_SZ", "http://ins.instant-boost.xyz/install/xcp/?" "apst"="REG_DWORD", 0 "cbkpoff"="REG_DWORD", 1 "country"="REG_SZ", "us" "cta"="REG_DWORD", 0 "delayfront"="REG_DWORD", 0 "delaytime"="REG_DWORD", 0 "dlllist"="REG_SZ", "PSMACHINE_64.DLL,MSSPELLCHECKINGFACILITY.DLL" "EmailURL"="REG_SZ", "" "expired"="REG_DWORD", 0 "hdata"="REG_BINARY, .................................................................................. "Installstring"="REG_SZ", "C:\Program Files\Xtron-Cleanup-Pro_{username}" "ipaddrurl"="REG_SZ", "http://ins.instant-boost.xyz/getip/" "isavst"="REG_DWORD", 0 "isiunidu"="REG_DWORD", 0 "isprmjsn"="REG_DWORD", 0 "isshowng"="REG_DWORD", 1 "issilent"="REG_DWORD", 0 "ISTELNO"="REG_DWORD", 0 "LangCode"="REG_SZ", "en" "lstregscancount"="REG_DWORD", 74 "lstscandate"="REG_SZ", "8/12/2019 8:53:18 AM" "lstscanstat"="REG_DWORD", 2 "lstsecscancount"="REG_DWORD", 0 "lsttotalscancount"="REG_DWORD", 74 "ovoffdis"="REG_DWORD", 0 "paramurl"="REG_SZ", "http://trkr.xscactiv.com/ipfiles/" "pdtm"="REG_DWORD", 30 "playsound"="REG_DWORD", 1 "prereg"="REG_DWORD", 0 "PurchaseURL"="REG_SZ", "http://www.syscarestore.com/xcp/price?" "reg"="REG_DWORD", 0 "RenewURL"="REG_SZ", "http://www.syscarestore.com/xcp/renewal?" "runcam"="REG_DWORD", 1 "runpixel"="REG_DWORD", 1 "runsrc"="REG_DWORD", 1 "showtn"="REG_DWORD", 0 "showunins"="REG_DWORD", 0 "showwfo"="REG_DWORD", 0 "stdismax"="REG_DWORD", -1 "supporturl"="REG_SZ", "http://www.instant-boost.xyz/help/" "TELNO"="REG_SZ", "855-446-9808" "TELNO_ar"="REG_SZ", "" "TELNO_at"="REG_SZ", "" "TELNO_au"="REG_SZ", "" "TELNO_be"="REG_SZ", "" "TELNO_br"="REG_SZ", "" "TELNO_ca"="REG_SZ", "855-446-9808" "TELNO_ch"="REG_SZ", "" "TELNO_de"="REG_SZ", "" "TELNO_dk"="REG_SZ", "" "TELNO_es"="REG_SZ", "" "TELNO_fi"="REG_SZ", "" "TELNO_fr"="REG_SZ", "" "TELNO_gb"="REG_SZ", "" "TELNO_it"="REG_SZ", "" "TELNO_ja"="REG_SZ", "" "TELNO_lu"="REG_SZ", "" "TELNO_nl"="REG_SZ", "" "TELNO_no"="REG_SZ", "" "TELNO_pt"="REG_SZ", "" "TELNO_se"="REG_SZ", "" "TELNO_uk"="REG_SZ", "" "TELNO_us"="REG_SZ", "855-446-9808" "WebURL"="REG_SZ", "http://www.instant-boost.xyz/" "wfoset"="REG_DWORD", 1 "x-ccode"="REG_SZ", "us" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "89_18_17_140" [HKEY_CURRENT_USER\Software\Xtron-Cleanup-Pro_{username}] "affiliateid"="REG_SZ", "" "InstallString"="REG_SZ", "C:\Program Files\Xtron-Cleanup-Pro_{username}" "LangCode"="REG_SZ", "en" "utm_medium"="REG_SZ", "" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "89_187_178_140" [HKEY_CURRENT_USER\Software\Xtron-Cleanup-Pro_{username}\1.0.0.0] "Installstring"="REG_SZ", "C:\Program Files\Xtron-Cleanup-Pro_{username}" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/12/19 Scan Time: 9:01 AM Log File: fb2e035d-bcce-11e9-95d2-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.11968 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236734 Threats Detected: 72 Threats Quarantined: 72 Time Elapsed: 7 min, 37 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\rgcl.exe, Quarantined, [470], [717828],1.0.11968 Module: 6 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\x64\SQLite.Interop.dll, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\Interop.IWshRuntimeLibrary.dll, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\rgcl.exe, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\System.Data.SQLite.DLL, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\TAFactory.IconPack.dll, Quarantined, [470], [717828],1.0.11968 Registry Key: 8 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Xtron-Cleanup-Pro_Logon, Quarantined, [470], [698852],1.0.11968 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{111B3651-C6B0-45C9-96B7-E0D081F3ABF1}, Quarantined, [470], [698852],1.0.11968 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{111B3651-C6B0-45C9-96B7-E0D081F3ABF1}, Quarantined, [470], [698852],1.0.11968 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{E2C70A85-8F78-4434-B5D7-3EB8102FB5ED}_is1, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, HKCU\SOFTWARE\Xtron-Cleanup-Pro_{username}, Quarantined, [470], [717827],1.0.11968 PUP.Optional.PCVARK, HKLM\SOFTWARE\WHRyb24tQ2xlYW51cC1Qcm8=, Quarantined, [470], [698859],1.0.11968 PUP.Optional.PCVARK, HKLM\SOFTWARE\XSC-PR, Quarantined, [470], [698879],1.0.11968 PUP.Optional.PCVARK, HKLM\SOFTWARE\Xtron-Cleanup-Pro_{username}, Quarantined, [470], [717825],1.0.11968 Registry Value: 4 PUP.Optional.PCVARK, HKCU\SOFTWARE\Xtron-Cleanup-Pro_{username}|AFFILIATEID, Quarantined, [470], [717827],1.0.11968 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{111B3651-C6B0-45C9-96B7-E0D081F3ABF1}|PATH, Quarantined, [470], [698854],1.0.11968 PUP.Optional.PCVARK, HKLM\SOFTWARE\XSC-PR|UTM_CAMPAIGN, Quarantined, [470], [698879],1.0.11968 PUP.Optional.PCVARK, HKLM\SOFTWARE\Xtron-Cleanup-Pro_{username}|AFFIRED, Quarantined, [470], [717825],1.0.11968 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 PUP.Optional.PCVARK, C:\PROGRAMDATA\Xtron-Cleanup-Pro_{username}, Quarantined, [470], [717830],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\x64, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\x86, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\PROGRAM FILES\Xtron-Cleanup-Pro_{username}, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\Xtron-Cleanup-Pro_{username}, Quarantined, [470], [717829],1.0.11968 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Xtron-Cleanup-Pro_{username}\smico, Quarantined, [470], [717831],1.0.11968 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\Xtron-Cleanup-Pro_{username}, Quarantined, [470], [717831],1.0.11968 File: 46 PUP.Optional.PCVARK, C:\PROGRAMDATA\Xtron-Cleanup-Pro_{username}\mdb.db, Quarantined, [470], [717830],1.0.11968 PUP.Optional.PCVARK, C:\WINDOWS\SYSTEM32\TASKS\Xtron-Cleanup-Pro_Logon, Quarantined, [470], [698852],1.0.11968 PUP.Optional.PCVARK, C:\USERS\PUBLIC\DESKTOP\Xtron-Cleanup-Pro.lnk, Quarantined, [470], [717832],1.0.11968 PUP.Optional.PCVARK, C:\PROGRAM FILES\Xtron-Cleanup-Pro_{username}\unins000.dat, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\x64\SQLite.Interop.dll, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\x86\SQLite.Interop.dll, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\langs.db, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\application.ico, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\danish_iss.ini, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\Dutch_iss.ini, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\english_iss.ini, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\finish_iss.ini, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\French_iss.ini, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\german_iss.ini, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\HtmlRenderer.dll, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\HtmlRenderer.WinForms.dll, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\Interop.IWshRuntimeLibrary.dll, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\Interop.SHDocVw.dll, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\italian_iss.ini, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\japanese_iss.ini, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\NAudio.dll, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\Newtonsoft.Json.dll, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\norwegian_iss.ini, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\portuguese_iss.ini, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\rgcl.exe, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\rgcl.exe.config, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\rpics.dll, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\russian_iss.ini, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\spanish_iss.ini, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\swedish_iss.ini, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\System.Data.SQLite.DLL, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\TAFactory.IconPack.dll, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\unins000.exe, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\unins000.msg, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\Xtron-Cleanup-Pro.lnk, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\Xtron-Cleanup-Pro_{username}\Buy Xtron-Cleanup-Pro.lnk, Quarantined, [470], [717829],1.0.11968 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Xtron-Cleanup-Pro_{username}\Uninstall Xtron-Cleanup-Pro.lnk, Quarantined, [470], [717829],1.0.11968 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Xtron-Cleanup-Pro_{username}\Xtron-Cleanup-Pro.lnk, Quarantined, [470], [717829],1.0.11968 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\Xtron-Cleanup-Pro_{username}\Errorlog.txt, Quarantined, [470], [717831],1.0.11968 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Xtron-Cleanup-Pro_{username}\aptnotfr.xml, Quarantined, [470], [717831],1.0.11968 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Xtron-Cleanup-Pro_{username}\exlist.bin, Quarantined, [470], [717831],1.0.11968 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Xtron-Cleanup-Pro_{username}\res.xml, Quarantined, [470], [717831],1.0.11968 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Xtron-Cleanup-Pro_{username}\upt.xml, Quarantined, [470], [717831],1.0.11968 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\LOCAL\TEMP\IS-R5TVK.TMP\XTRON-CLEANUP-PRO SETUP .TMP, Quarantined, [470], [698868],1.0.11968 PUP.Optional.PCVARK, C:\USERS\{username}\DESKTOP\XTRON-CLEANUP-PRO SETUP .EXE, Quarantined, [470], [698868],1.0.11968 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  11. What is Xtron Optimizer Pro?The Malwarebytes research team has determined that Xtron Optimizer Pro is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with Xtron Optimizer Pro?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see these warnings during install:and this type of screens during "operations":You may see this entry in your list of installed programs:and this task in your list of Scheduled Tasks:How did Xtron Optimizer Pro get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove Xtron Optimizer Pro?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Xtron Optimizer Pro? No, Malwarebytes removes Xtron Optimizer Pro completely. This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the Xtron Optimizer Pro installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: (ADVANCED PC UTILITIES -> ) C:\Program Files\Xtron- Optimizer-Pro_{username}\rgcl.exe Task: {6587CF3A-F150-43D0-BA88-FEBBAA37257D} - System32\Tasks\Xtron- Optimizer-Pro_Logon => C:\Program Files\Xtron- Optimizer-Pro_{username}\rgcl.exe [2048032 2019-08-07] (ADVANCED PC UTILITIES -> ) C:\Windows\System32\Tasks\Xtron- Optimizer-Pro_Logon C:\Users\{username}\AppData\Roaming\Xtron- Optimizer-Pro_{username} C:\Users\Public\Desktop\Xtron- Optimizer-Pro.lnk C:\ProgramData\Xtron- Optimizer-Pro_{username} C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Xtron- Optimizer-Pro_{username} C:\Program Files\Xtron- Optimizer-Pro_{username} Xtron- Optimizer-Pro (HKLM\...\{341EE7CC-AA90-42F1-B889-4B35572073D1}_is1) (Version: 1.0.0.6 - ) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\Xtron- Optimizer-Pro_{username} Adds the file application.ico"="6/10/2019 11:42 AM, 185552 bytes, A Adds the file english_iss.ini"="5/29/2019 3:54 PM, 2256 bytes, A Adds the file HtmlRenderer.dll"="8/7/2019 12:13 PM, 235040 bytes, A Adds the file HtmlRenderer.WinForms.dll"="8/7/2019 12:13 PM, 73760 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="8/7/2019 12:13 PM, 62496 bytes, A Adds the file Interop.SHDocVw.dll"="8/7/2019 12:13 PM, 177184 bytes, A Adds the file langs.db"="6/24/2019 5:44 PM, 486400 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="8/7/2019 12:13 PM, 184352 bytes, A Adds the file NAudio.dll"="8/7/2019 12:13 PM, 484384 bytes, A Adds the file Newtonsoft.Json.dll"="8/7/2019 12:13 PM, 474144 bytes, A Adds the file pmgr.dll"="8/7/2019 12:13 PM, 786976 bytes, A Adds the file rgcl.exe"="8/7/2019 12:13 PM, 2048032 bytes, A Adds the file rgcl.exe.config"="8/7/2019 12:13 PM, 4557 bytes, A Adds the file System.Data.SQLite.DLL"="8/7/2019 12:13 PM, 304160 bytes, A Adds the file TAFactory.IconPack.dll"="8/7/2019 12:13 PM, 50208 bytes, A Adds the file unins000.dat"="8/9/2019 9:08 AM, 75779 bytes, A Adds the file unins000.exe"="8/9/2019 9:07 AM, 1371680 bytes, A Adds the file unins000.msg"="8/9/2019 9:08 AM, 22701 bytes, A Adds the folder C:\Program Files\Xtron- Optimizer-Pro_{username}\x64 Adds the file SQLite.Interop.dll"="8/7/2019 12:13 PM, 1188896 bytes, A Adds the folder C:\Program Files\Xtron- Optimizer-Pro_{username}\x86 Adds the file SQLite.Interop.dll"="8/7/2019 12:13 PM, 867872 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Xtron- Optimizer-Pro_{username} Adds the file Buy Xtron- Optimizer-Pro.lnk"="8/9/2019 9:08 AM, 972 bytes, A Adds the file Uninstall Xtron- Optimizer-Pro.lnk"="8/9/2019 9:08 AM, 984 bytes, A Adds the file Xtron- Optimizer-Pro.lnk"="8/9/2019 9:08 AM, 960 bytes, A Adds the folder C:\ProgramData\Xtron- Optimizer-Pro_{username} Adds the file mdb.db"="6/25/2019 6:28 PM, 6643712 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Xtron- Optimizer-Pro_{username} Adds the file aptnotfr.xml"="8/9/2019 9:09 AM, 7487 bytes, A Adds the file Errorlog.txt"="8/9/2019 9:16 AM, 21548 bytes, A Adds the file exlist.bin"="8/9/2019 9:09 AM, 257915 bytes, A Adds the file res.xml"="8/9/2019 9:12 AM, 14669 bytes, A Adds the file upt.xml"="8/9/2019 9:09 AM, 23206 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Xtron- Optimizer-Pro_{username}\smico In the existing folder C:\Users\Public\Desktop Adds the file Xtron- Optimizer-Pro.lnk"="8/9/2019 9:08 AM, 942 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Xtron- Optimizer-Pro_Logon"="8/9/2019 9:09 AM, 3070 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{341EE7CC-AA90-42F1-B889-4B35572073D1}_is1] "DisplayIcon"="REG_SZ", "C:\Program Files\Xtron- Optimizer-Pro_{username}\rgcl.exe" "DisplayName"="REG_SZ", "Xtron- Optimizer-Pro" "DisplayVersion"="REG_SZ", "1.0.0.6" "EstimatedSize"="REG_DWORD", 16062 "Inno Setup: App Path"="REG_SZ", "C:\Program Files\Xtron- Optimizer-Pro_{username}" "Inno Setup: Icon Group"="REG_SZ", "Xtron- Optimizer-Pro_{username}" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.8 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20190809" "InstallLocation"="REG_SZ", "C:\Program Files\Xtron- Optimizer-Pro_{username}\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "QuietUninstallString"="REG_SZ", ""C:\Program Files\Xtron- Optimizer-Pro_{username}\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files\Xtron- Optimizer-Pro_{username}\unins000.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\WHRyb24tIE9wdGltaXplci1Qcm8=\ACT] "data"="REG_BINARY, ............................................................................................................................................................................................................................................................................................................................................................................_............................... [HKEY_LOCAL_MACHINE\SOFTWARE\xsc-pr] "btnid"="REG_SZ", "" "country"="REG_SZ", "us" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "pxl"="REG_SZ", "" "referUrl"="REG_SZ", "" "TELNO"="REG_SZ", "" "utm_campaign"="REG_SZ", "" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "" "utm_source"="REG_SZ", "" "x-at"="REG_SZ", "" "x-context"="REG_SZ", "" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Xtron- Optimizer-Pro_{username}] "affired"="REG_DWORD", 1 "afterInstallUrl"="REG_SZ", "http://ins.pc-booster.xyz/install/xop/?" "apst"="REG_DWORD", 0 "cbkpoff"="REG_DWORD", 1 "country"="REG_SZ", "us" "cta"="REG_DWORD", 0 "delayfront"="REG_DWORD", 0 "delaytime"="REG_DWORD", 0 "dlllist"="REG_SZ", "PSMACHINE_64.DLL,MSSPELLCHECKINGFACILITY.DLL" "EmailURL"="REG_SZ", "" "expired"="REG_DWORD", 0 "hdata"="REG_BINARY, ......................................................................................................................................................................................................................................................................................................................................... "Installstring"="REG_SZ", "C:\Program Files\Xtron- Optimizer-Pro_{username}" "ipaddrurl"="REG_SZ", "http://ins.pc-booster.xyz/getip/" "isavst"="REG_DWORD", 0 "isiunidu"="REG_DWORD", 0 "isprmjsn"="REG_DWORD", 0 "isshowng"="REG_DWORD", 1 "issilent"="REG_DWORD", 0 "ISTELNO"="REG_DWORD", 0 "LangCode"="REG_SZ", "en" "lstregscancount"="REG_DWORD", 37 "lstscandate"="REG_SZ", "8/9/2019 9:12:16 AM" "lstscanstat"="REG_DWORD", 2 "lstsecscancount"="REG_DWORD", 0 "lsttotalscancount"="REG_DWORD", 37 "ovoffdis"="REG_DWORD", 0 "paramurl"="REG_SZ", "http://trkr.xscactiv.com/ipfiles/" "pdtm"="REG_DWORD", 30 "playsound"="REG_DWORD", 1 "prereg"="REG_DWORD", 0 "PurchaseURL"="REG_SZ", "http://www.syscarestore.com/xop/price?" "reg"="REG_DWORD", 0 "RenewURL"="REG_SZ", "http://www.syscarestore.com/xop/renewal?" "runcam"="REG_DWORD", 1 "runpixel"="REG_DWORD", 1 "runsrc"="REG_DWORD", 1 "showtn"="REG_DWORD", 0 "showunins"="REG_DWORD", 0 "showwfo"="REG_DWORD", 0 "stdismax"="REG_DWORD", -1 "supporturl"="REG_SZ", "http://www.pc-booster.xyz/help/" "TELNO"="REG_SZ", "855-446-9808" "TELNO_ar"="REG_SZ", "" "TELNO_at"="REG_SZ", "" "TELNO_au"="REG_SZ", "" "TELNO_be"="REG_SZ", "" "TELNO_br"="REG_SZ", "" "TELNO_ca"="REG_SZ", "855-446-9808" "TELNO_ch"="REG_SZ", "" "TELNO_de"="REG_SZ", "" "TELNO_dk"="REG_SZ", "" "TELNO_es"="REG_SZ", "" "TELNO_fi"="REG_SZ", "" "TELNO_fr"="REG_SZ", "" "TELNO_gb"="REG_SZ", "" "TELNO_it"="REG_SZ", "" "TELNO_ja"="REG_SZ", "" "TELNO_lu"="REG_SZ", "" "TELNO_nl"="REG_SZ", "" "TELNO_no"="REG_SZ", "" "TELNO_pt"="REG_SZ", "" "TELNO_se"="REG_SZ", "" "TELNO_uk"="REG_SZ", "" "TELNO_us"="REG_SZ", "855-446-9808" "WebURL"="REG_SZ", "http://www.pc-booster.xyz/" "wfoset"="REG_DWORD", 1 "x-ccode"="REG_SZ", "us" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "89_18_18_220" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/9/19 Scan Time: 9:27 AM Log File: 3587be45-ba77-11e9-a7fc-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.11928 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236611 Threats Detected: 71 Threats Quarantined: 71 Time Elapsed: 7 min, 27 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\rgcl.exe, Quarantined, [470], [717840],1.0.11928 Module: 6 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\x64\SQLite.Interop.dll, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\Interop.IWshRuntimeLibrary.dll, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\rgcl.exe, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\System.Data.SQLite.DLL, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\TAFactory.IconPack.dll, Quarantined, [470], [717840],1.0.11928 Registry Key: 8 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Xtron- Optimizer-Pro_Logon, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{6587CF3A-F150-43D0-BA88-FEBBAA37257D}, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{6587CF3A-F150-43D0-BA88-FEBBAA37257D}, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{341EE7CC-AA90-42F1-B889-4B35572073D1}_is1, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, HKCU\SOFTWARE\Xtron- Optimizer-Pro_{username}, Quarantined, [470], [717841],1.0.11928 PUP.Optional.PCVARK, HKLM\SOFTWARE\WHRyb24tIE9wdGltaXplci1Qcm8=, Quarantined, [470], [698859],1.0.11928 PUP.Optional.PCVARK, HKLM\SOFTWARE\XSC-PR, Quarantined, [470], [698879],1.0.11928 PUP.Optional.PCVARK, HKLM\SOFTWARE\Xtron- Optimizer-Pro_{username}, Quarantined, [470], [717842],1.0.11928 Registry Value: 4 PUP.Optional.PCVARK, HKCU\SOFTWARE\Xtron- Optimizer-Pro_{username}|AFFILIATEID, Quarantined, [470], [717841],1.0.11928 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{6587CF3A-F150-43D0-BA88-FEBBAA37257D}|PATH, Quarantined, [470], [698854],1.0.11928 PUP.Optional.PCVARK, HKLM\SOFTWARE\XSC-PR|UTM_CAMPAIGN, Quarantined, [470], [698879],1.0.11928 PUP.Optional.PCVARK, HKLM\SOFTWARE\Xtron- Optimizer-Pro_{username}|AFFIRED, Quarantined, [470], [717842],1.0.11928 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\x64, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\x86, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\PROGRAM FILES\Xtron- Optimizer-Pro_{username}, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\PROGRAMDATA\Xtron- Optimizer-Pro_{username}, Quarantined, [470], [717838],1.0.11928 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Xtron- Optimizer-Pro_{username}\smico, Quarantined, [470], [717837],1.0.11928 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\Xtron- Optimizer-Pro_{username}, Quarantined, [470], [717837],1.0.11928 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\Xtron- Optimizer-Pro_{username}, Quarantined, [470], [717839],1.0.11928 File: 45 PUP.Optional.PCVARK, C:\PROGRAM FILES\Xtron- Optimizer-Pro_{username}\unins000.dat, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\x64\SQLite.Interop.dll, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\x86\SQLite.Interop.dll, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\langs.db, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\application.ico, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\danish_iss.ini, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\Dutch_iss.ini, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\english_iss.ini, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\finish_iss.ini, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\French_iss.ini, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\german_iss.ini, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\HtmlRenderer.dll, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\HtmlRenderer.WinForms.dll, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\Interop.IWshRuntimeLibrary.dll, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\Interop.SHDocVw.dll, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\italian_iss.ini, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\japanese_iss.ini, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\NAudio.dll, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\Newtonsoft.Json.dll, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\norwegian_iss.ini, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\pmgr.dll, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\portuguese_iss.ini, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\rgcl.exe, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\rgcl.exe.config, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\russian_iss.ini, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\spanish_iss.ini, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\swedish_iss.ini, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\System.Data.SQLite.DLL, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\TAFactory.IconPack.dll, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\unins000.exe, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\unins000.msg, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\WINDOWS\SYSTEM32\TASKS\Xtron- Optimizer-Pro_Logon, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\Xtron- Optimizer-Pro.lnk, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\USERS\PUBLIC\Desktop\Xtron- Optimizer-Pro.lnk, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\PROGRAMDATA\Xtron- Optimizer-Pro_{username}\mdb.db, Quarantined, [470], [717838],1.0.11928 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\Xtron- Optimizer-Pro_{username}\Errorlog.txt, Quarantined, [470], [717837],1.0.11928 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Xtron- Optimizer-Pro_{username}\aptnotfr.xml, Quarantined, [470], [717837],1.0.11928 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Xtron- Optimizer-Pro_{username}\exlist.bin, Quarantined, [470], [717837],1.0.11928 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Xtron- Optimizer-Pro_{username}\res.xml, Quarantined, [470], [717837],1.0.11928 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Xtron- Optimizer-Pro_{username}\upt.xml, Quarantined, [470], [717837],1.0.11928 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\Xtron- Optimizer-Pro_{username}\Buy Xtron- Optimizer-Pro.lnk, Quarantined, [470], [717839],1.0.11928 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Xtron- Optimizer-Pro_{username}\Uninstall Xtron- Optimizer-Pro.lnk, Quarantined, [470], [717839],1.0.11928 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Xtron- Optimizer-Pro_{username}\Xtron- Optimizer-Pro.lnk, Quarantined, [470], [717839],1.0.11928 PUP.Optional.PCVARK, C:\USERS\{username}\DESKTOP\XTRON- OPTIMIZER-PRO SETUP.EXE, Quarantined, [470], [649610],1.0.11928 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  12. What is Docset?The Malwarebytes research team has determined that Docset is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Docset?You may see this entry in your list of installed Chrome extensions:and these warnings during install:How did Docset get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Docset?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Docset? No, Malwarebytes removes Docset completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Docset hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR Extension: (Docset) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpnndfekemedjpbkbncodpefimlfmbi [2019-08-08] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpnndfekemedjpbkbncodpefimlfmbi\3.3.4_0 Adds the file background.js"="8/8/2019 12:28 PM, 5382 bytes, A Adds the file manifest.json"="8/8/2019 9:06 AM, 1713 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpnndfekemedjpbkbncodpefimlfmbi\3.3.4_0\_metadata Adds the file computed_hashes.json"="8/8/2019 9:06 AM, 404 bytes, A Adds the file verified_contents.json"="8/8/2019 12:28 PM, 1648 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpnndfekemedjpbkbncodpefimlfmbi\3.3.4_0\icons Adds the file icon128.png"="8/8/2019 9:06 AM, 2188 bytes, A Adds the file icon48.png"="8/8/2019 9:06 AM, 253 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjpnndfekemedjpbkbncodpefimlfmbi Adds the file 000003.log"="8/8/2019 9:09 AM, 0 bytes, A Adds the file CURRENT"="8/8/2019 9:09 AM, 16 bytes, A Adds the file LOCK"="8/8/2019 9:09 AM, 0 bytes, A Adds the file LOG"="8/8/2019 9:09 AM, 0 bytes, A Adds the file MANIFEST-000001"="8/8/2019 9:09 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "cjpnndfekemedjpbkbncodpefimlfmbi"="REG_SZ", "46D6156A281ACFD964EF465BB90364F33D86FFC45A0EB09FDCCC3154C5FAAB21" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/8/19 Scan Time: 9:16 AM Log File: 75f7a975-b9ac-11e9-a53a-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.11908 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236368 Threats Detected: 19 Threats Quarantined: 19 Time Elapsed: 6 min, 42 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.QuickGoSearch, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|cjpnndfekemedjpbkbncodpefimlfmbi, Quarantined, [352], [663238],1.0.11908 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 5 PUP.Optional.QuickGoSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\cjpnndfekemedjpbkbncodpefimlfmbi, Quarantined, [352], [663238],1.0.11908 PUP.Optional.QuickGoSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpnndfekemedjpbkbncodpefimlfmbi\3.3.4_0\_metadata, Quarantined, [352], [663238],1.0.11908 PUP.Optional.QuickGoSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpnndfekemedjpbkbncodpefimlfmbi\3.3.4_0\icons, Quarantined, [352], [663238],1.0.11908 PUP.Optional.QuickGoSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpnndfekemedjpbkbncodpefimlfmbi\3.3.4_0, Quarantined, [352], [663238],1.0.11908 PUP.Optional.QuickGoSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CJPNNDFEKEMEDJPBKBNCODPEFIMLFMBI, Quarantined, [352], [663238],1.0.11908 File: 13 PUP.Optional.QuickGoSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjpnndfekemedjpbkbncodpefimlfmbi\000003.log, Quarantined, [352], [663238],1.0.11908 PUP.Optional.QuickGoSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjpnndfekemedjpbkbncodpefimlfmbi\CURRENT, Quarantined, [352], [663238],1.0.11908 PUP.Optional.QuickGoSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjpnndfekemedjpbkbncodpefimlfmbi\LOCK, Quarantined, [352], [663238],1.0.11908 PUP.Optional.QuickGoSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjpnndfekemedjpbkbncodpefimlfmbi\LOG, Quarantined, [352], [663238],1.0.11908 PUP.Optional.QuickGoSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjpnndfekemedjpbkbncodpefimlfmbi\MANIFEST-000001, Quarantined, [352], [663238],1.0.11908 PUP.Optional.QuickGoSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [352], [663238],1.0.11908 PUP.Optional.QuickGoSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [352], [663238],1.0.11908 PUP.Optional.QuickGoSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CJPNNDFEKEMEDJPBKBNCODPEFIMLFMBI\3.3.4_0\MANIFEST.JSON, Quarantined, [352], [663238],1.0.11908 PUP.Optional.QuickGoSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpnndfekemedjpbkbncodpefimlfmbi\3.3.4_0\icons\icon128.png, Quarantined, [352], [663238],1.0.11908 PUP.Optional.QuickGoSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpnndfekemedjpbkbncodpefimlfmbi\3.3.4_0\icons\icon48.png, Quarantined, [352], [663238],1.0.11908 PUP.Optional.QuickGoSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpnndfekemedjpbkbncodpefimlfmbi\3.3.4_0\_metadata\computed_hashes.json, Quarantined, [352], [663238],1.0.11908 PUP.Optional.QuickGoSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpnndfekemedjpbkbncodpefimlfmbi\3.3.4_0\_metadata\verified_contents.json, Quarantined, [352], [663238],1.0.11908 PUP.Optional.QuickGoSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpnndfekemedjpbkbncodpefimlfmbi\3.3.4_0\background.js, Quarantined, [352], [663238],1.0.11908 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  13. What is PDF Converter by Safely?The Malwarebytes research team has determined that PDF Converter by Safely is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by PDF Converter by Safely?You may see these new browser extensions/add-ons:and these warnings during install:You will see this icon in the browser's menu-bar:How did PDF Converter by Safely get on my computer?Browser hijackers use different methods for distributing themselves. The Chrome extension was downloaded from the webstore:after a redirect from their website:How do I remove PDF Converter by Safely?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of PDF Converter by Safely? No, Malwarebytes removes PDF Converter by Safely completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the PDF Converter by Safely hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: FF Extension: (PDF Converter by Safely) - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\{f459049d-939d-432e-83c7-07ced47e629a}.xpi [2019-08-07] [UpdateUrl:hxxps://addons.search-safely.net/pcff/updates.json] CHR DefaultSearchURL: Default -> hxxp://www.pdfsearchsafe.com/search/?category=web&s=g6ds&q={searchTerms} CHR DefaultSearchKeyword: Default -> PDF Converter CHR DefaultSuggestURL: Default -> hxxp://sug.pdfsearchsafe.com/search/index_sg.php?q={searchTerms} CHR Extension: (PDF Converter) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd [2019-08-07] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0 Adds the file config.js"="5/27/2019 11:10 AM, 1557 bytes, A Adds the file manifest.json"="8/7/2019 9:20 AM, 2135 bytes, A Adds the file rate.js"="5/27/2019 11:10 AM, 2585 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\_metadata Adds the file computed_hashes.json"="8/7/2019 9:20 AM, 10702 bytes, A Adds the file verified_contents.json"="6/25/2019 4:02 PM, 5796 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\bg Adds the file background.html"="5/27/2019 11:10 AM, 200 bytes, A Adds the file background.js"="6/23/2019 3:58 PM, 2217 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img Adds the file close-icon.png"="5/27/2019 11:10 AM, 230 bytes, A Adds the file cog-icon.png"="5/27/2019 11:10 AM, 393 bytes, A Adds the file icon128.png"="8/7/2019 9:20 AM, 2270 bytes, A Adds the file icon16.png"="8/7/2019 9:20 AM, 518 bytes, A Adds the file icon48.png"="8/7/2019 9:20 AM, 1069 bytes, A Adds the file pdf_converter_presentation2.gif"="5/27/2019 11:10 AM, 117798 bytes, A Adds the file type-jpg.svg"="5/27/2019 11:10 AM, 3521 bytes, A Adds the file type-pjpg.svg"="5/27/2019 11:10 AM, 4369 bytes, A Adds the file type-png.svg"="5/27/2019 11:10 AM, 3250 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img\rateshare Adds the file close.png"="5/27/2019 11:10 AM, 1920 bytes, A Adds the file rate.jpg"="5/27/2019 11:10 AM, 102155 bytes, A Adds the file rate1.png"="5/27/2019 11:10 AM, 12334 bytes, A Adds the file share.jpg"="5/27/2019 11:10 AM, 17633 bytes, A Adds the file share1.png"="5/27/2019 11:10 AM, 4466 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\inject Adds the file onInstallCallback.js"="5/27/2019 11:10 AM, 684 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery Adds the file jquery.cookie.js"="5/27/2019 11:10 AM, 4341 bytes, A Adds the file jquery.min.js"="5/27/2019 11:10 AM, 84249 bytes, A Adds the file jquery-ui.custom.min.js"="5/27/2019 11:10 AM, 228088 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\css Adds the file jquery-ui.custom.css"="5/27/2019 11:10 AM, 20579 bytes, A Adds the file override-page.css"="5/27/2019 11:10 AM, 5513 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\css\images Adds the file ui-bg_flat_55_999999_40x100.png"="5/27/2019 11:10 AM, 180 bytes, A Adds the file ui-bg_flat_75_aaaaaa_40x100.png"="5/27/2019 11:10 AM, 180 bytes, A Adds the file ui-bg_glass_45_0078ae_1x400.png"="5/27/2019 11:10 AM, 136 bytes, A Adds the file ui-bg_glass_55_f8da4e_1x400.png"="5/27/2019 11:10 AM, 131 bytes, A Adds the file ui-bg_glass_75_79c9ec_1x400.png"="5/27/2019 11:10 AM, 132 bytes, A Adds the file ui-bg_gloss-wave_50_38cfff_500x100.png"="5/27/2019 11:10 AM, 89 bytes, A Adds the file ui-bg_gloss-wave_75_2191c0_500x100.png"="5/27/2019 11:10 AM, 89 bytes, A Adds the file ui-bg_inset-hard_100_fcfdfd_1x100.png"="5/27/2019 11:10 AM, 88 bytes, A Adds the file ui-icons_056b93_256x240.png"="5/27/2019 11:10 AM, 5355 bytes, A Adds the file ui-icons_d8e7f3_256x240.png"="5/27/2019 11:10 AM, 4369 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file {f459049d-939d-432e-83c7-07ced47e629a}.xpi"="8/7/2019 9:30 AM, 468509 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "flihljijbojekggaafjfjfnfipamdndd"="REG_SZ", "106A231E5CEF9CC121B62F6BC36D05549DEC6BDC4558C0FB06A70114FD11A6CA" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/7/19 Scan Time: 12:09 PM Log File: 6a1ba558-b8fb-11e9-b68b-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.11896 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236317 Threats Detected: 53 Threats Quarantined: 53 Time Elapsed: 10 min, 22 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.Safely, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|flihljijbojekggaafjfjfnfipamdndd, Quarantined, [349], [717247],1.0.11896 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 10 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\css\images, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img\rateshare, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\css, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\_metadata, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\inject, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\bg, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FLIHLJIJBOJEKGGAAFJFJFNFIPAMDNDD, Quarantined, [349], [717247],1.0.11896 File: 42 PUP.Optional.Safely, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{PROFILE}.DEFAULT\EXTENSIONS\{F459049D-939D-432E-83C7-07CED47E629A}.XPI, Quarantined, [349], [672276],1.0.11896 PUP.Optional.Safely, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FLIHLJIJBOJEKGGAAFJFJFNFIPAMDNDD\1.0.0_0\MANIFEST.JSON, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\bg\background.html, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\bg\background.js, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img\rateshare\close.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img\rateshare\rate.jpg, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img\rateshare\rate1.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img\rateshare\share.jpg, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img\rateshare\share1.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img\close-icon.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img\cog-icon.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img\icon128.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img\icon16.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img\icon48.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img\pdf_converter_presentation2.gif, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img\type-jpg.svg, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img\type-pjpg.svg, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img\type-png.svg, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\inject\onInstallCallback.js, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\css\images\ui-bg_flat_55_999999_40x100.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\css\images\ui-bg_flat_75_aaaaaa_40x100.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\css\images\ui-bg_glass_45_0078ae_1x400.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\css\images\ui-bg_glass_55_f8da4e_1x400.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\css\images\ui-bg_glass_75_79c9ec_1x400.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\css\images\ui-bg_gloss-wave_50_38cfff_500x100.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\css\images\ui-bg_gloss-wave_75_2191c0_500x100.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\css\images\ui-bg_inset-hard_100_fcfdfd_1x100.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\css\images\ui-icons_056b93_256x240.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\css\images\ui-icons_d8e7f3_256x240.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\css\jquery-ui.custom.css, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\css\override-page.css, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\jquery-ui.custom.min.js, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\jquery.cookie.js, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\jquery.min.js, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\_metadata\computed_hashes.json, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\_metadata\verified_contents.json, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\config.js, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\rate.js, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [349], [717248],1.0.11896 PUP.Optional.Safely, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [349], [717248],1.0.11896 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  14. What is Delete Facebook Messages?The Malwarebytes research team has determined that Delete Facebook Messages is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particualr one also changes the Newtab page.How do I know if my computer is affected by Delete Facebook Messages?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and these changed settings:How did Delete Facebook Messages get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Delete Facebook Messages?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Delete Facebook Messages? No, Malwarebytes removes Delete Facebook Messages completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Delete Facebook Messages hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR NewTab: Default -> Active:"chrome-extension://gclddpoljobheacaakifdocnknfcmeeh/newtab/index.html" CHR DefaultSearchURL: Default -> hxxps://dfbmsgs.com/search?q={searchTerms} CHR DefaultSearchKeyword: Default -> dfb CHR Extension: (DFB Search) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh [2019-08-06] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0 Adds the file background.html"="6/20/2019 11:56 PM, 123 bytes, A Adds the file manifest.json"="8/6/2019 8:56 AM, 1776 bytes, A Adds the file popup.html"="3/15/2019 2:23 PM, 2982 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\_metadata Adds the file computed_hashes.json"="8/6/2019 8:56 AM, 6823 bytes, A Adds the file verified_contents.json"="7/10/2019 9:34 AM, 3353 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\css Adds the file bootstrap.min.css"="11/21/2017 12:11 AM, 144302 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\icons Adds the file fb.png"="5/7/2019 10:09 AM, 4160 bytes, A Adds the file fb16.png"="6/10/2019 12:28 PM, 3613 bytes, A Adds the file icon.png"="8/6/2019 8:56 AM, 6461 bytes, A Adds the file no-image-icon-13.png"="7/8/2019 3:18 PM, 3107 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\js Adds the file angular.min.js"="8/13/2016 4:12 AM, 155877 bytes, A Adds the file archive.js"="6/4/2019 10:02 AM, 5608 bytes, A Adds the file background.js"="7/10/2019 9:21 AM, 2713 bytes, A Adds the file bootstrap.min.js"="2/12/2017 8:25 PM, 28669 bytes, A Adds the file fb - Copy.js"="11/21/2017 3:44 AM, 6055 bytes, A Adds the file fb.js"="6/4/2019 10:06 AM, 5604 bytes, A Adds the file is_sdk1.4.js"="6/20/2019 11:55 PM, 10215 bytes, A Adds the file jquery.min.js"="8/26/2016 10:35 PM, 83304 bytes, A Adds the file popup.js"="6/4/2019 10:01 AM, 3746 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\newtab Adds the file index.html"="7/8/2019 3:16 PM, 989 bytes, A Adds the file newtab.js"="7/8/2019 3:16 PM, 2057 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gclddpoljobheacaakifdocnknfcmeeh Adds the file 000003.log"="8/6/2019 8:56 AM, 68 bytes, A Adds the file CURRENT"="8/6/2019 8:56 AM, 16 bytes, A Adds the file LOCK"="8/6/2019 8:56 AM, 0 bytes, A Adds the file LOG"="8/6/2019 8:56 AM, 184 bytes, A Adds the file MANIFEST-000001"="8/6/2019 8:56 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "gclddpoljobheacaakifdocnknfcmeeh"="REG_SZ", "40D8E54D876A6CD3E345C26D20C51A76006A2A04CD61F108EFE26BFC23066DFF" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/6/19 Scan Time: 8:46 AM Log File: f4cdf3b8-b815-11e9-8e55-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.11876 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236347 Threats Detected: 38 Threats Quarantined: 38 Time Elapsed: 6 min, 42 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.UKTopFive, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|gclddpoljobheacaakifdocnknfcmeeh, Quarantined, [370], [674082],1.0.11876 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 8 PUP.Optional.UKTopFive, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\gclddpoljobheacaakifdocnknfcmeeh, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\_metadata, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\newtab, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\icons, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\css, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\js, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GCLDDPOLJOBHEACAAKIFDOCNKNFCMEEH, Quarantined, [370], [674082],1.0.11876 File: 29 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gclddpoljobheacaakifdocnknfcmeeh\000003.log, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gclddpoljobheacaakifdocnknfcmeeh\CURRENT, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gclddpoljobheacaakifdocnknfcmeeh\LOCK, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gclddpoljobheacaakifdocnknfcmeeh\LOG, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gclddpoljobheacaakifdocnknfcmeeh\LOG.old, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gclddpoljobheacaakifdocnknfcmeeh\MANIFEST-000001, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GCLDDPOLJOBHEACAAKIFDOCNKNFCMEEH\3.0.3_0\MANIFEST.JSON, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\css\bootstrap.min.css, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\icons\fb.png, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\icons\fb16.png, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\icons\icon.png, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\icons\no-image-icon-13.png, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\js\angular.min.js, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\js\archive.js, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\js\background.js, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\js\bootstrap.min.js, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\js\fb - Copy.js, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\js\fb.js, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\js\is_sdk1.4.js, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\js\jquery.min.js, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\js\popup.js, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\newtab\index.html, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\newtab\newtab.js, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\_metadata\computed_hashes.json, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\_metadata\verified_contents.json, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\background.html, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\popup.html, Quarantined, [370], [674082],1.0.11876 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  15. What is Shark PC Protector?The Malwarebytes research team has determined that Shark PC Protector is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with Shark PC Protector?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see these warnings during install:and this screen during "operations":You may see this entry in your list of installed programs:and this task in your list of Scheduled Tasks:How did Shark PC Protector get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove Shark PC Protector?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Shark PC Protector? No, Malwarebytes removes Shark PC Protector completely. This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the Shark PC Protector installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: (Econosoft Global Services PTE. LTD. -> Econosoft Global Services Pte. Ltd.) C:\Program Files (x86)\Shark PC Protector\sharkpcprotector.exe Task: {94427936-D024-4D0E-8A85-3496931204CE} - System32\Tasks\Shark PC Protector => C:\Program Files (x86)\Shark PC Protector\sharkpcprotector.exe [3240752 2019-06-06] (Econosoft Global Services PTE. LTD. -> Econosoft Global Services Pte. Ltd.) S2 COMServices; C:\Program Files (x86)\Shark PC Protector\svc//COMServices.exe [X] C:\Windows\System32\Tasks\Shark PC Protector C:\Users\Public\Desktop\Shark PC Protector.lnk C:\Users\{username}\AppData\Roaming\Shark PC Protector C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Shark PC Protector C:\Program Files (x86)\Shark PC Protector C:\Users\{username}\Downloads\Trojan.Worm.720266.msh C:\Users\{username}\Downloads\Trojan.Worm.361461.msh Shark PC Protector (HKLM-x32\...\{E6302A5A-54A4-4A53-9BE7-EA9AC128D298}}_is1) (Version: 1.0 - Econosoft Global Services Pte. Ltd.) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\Shark PC Protector Adds the file Interop.NATUPNPLib.dll"="4/19/2018 12:25 PM, 7168 bytes, A Adds the file Interop.NETCONLib.dll"="4/19/2018 12:25 PM, 9728 bytes, A Adds the file Interop.NetFwTypeLib.dll"="4/19/2018 12:25 PM, 19456 bytes, A Adds the file Interop.Shell32.dll"="4/19/2018 12:25 PM, 36864 bytes, A Adds the file Interop.WUApiLib.dll"="4/19/2018 12:25 PM, 73728 bytes, A Adds the file ksb.bat"="8/8/2018 9:05 PM, 208 bytes, A Adds the file logo.ico"="6/6/2019 2:49 PM, 21662 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="4/19/2018 12:31 PM, 171008 bytes, A Adds the file sharkpcprotector.exe"="6/6/2019 7:59 PM, 3240752 bytes, A Adds the file SharpCompress.dll"="4/19/2018 12:35 PM, 418304 bytes, A Adds the file Sys_Trace.xml"="4/19/2018 12:45 PM, 46 bytes, A Adds the file System.Data.SQLite.dll"="4/19/2018 12:45 PM, 353280 bytes, A Adds the file System.Data.SQLite.xml"="4/19/2018 12:45 PM, 1051056 bytes, A Adds the file unins000.dat"="8/5/2019 9:17 AM, 64650 bytes, A Adds the file unins000.exe"="8/5/2019 9:16 AM, 732976 bytes, A Adds the file unins000.msg"="8/5/2019 9:17 AM, 11573 bytes, A Adds the file WpfAnimatedGif.dll"="4/19/2018 12:20 PM, 28160 bytes, A Adds the file WPFToolkit.dll"="4/19/2018 12:20 PM, 467288 bytes, A Adds the folder C:\Program Files (x86)\Shark PC Protector\Backup Adds the folder C:\Program Files (x86)\Shark PC Protector\de Adds the file sharkpcprotector.resources.dll"="6/6/2019 7:58 PM, 29696 bytes, A Adds the folder C:\Program Files (x86)\Shark PC Protector\en Adds the file sharkpcprotector.resources.dll"="6/6/2019 7:58 PM, 27136 bytes, A Adds the folder C:\Program Files (x86)\Shark PC Protector\ja-jp Adds the file sharkpcprotector.resources.dll"="6/6/2019 7:58 PM, 33280 bytes, A Adds the folder C:\Program Files (x86)\Shark PC Protector\uni Adds the file System.Data.SQLite.dll"="4/19/2018 12:45 PM, 353280 bytes, A Adds the file System.Data.SQLite.xml"="4/19/2018 12:45 PM, 1051056 bytes, A Adds the file Uninstaller.exe"="6/6/2019 7:51 PM, 527152 bytes, A Adds the folder C:\Program Files (x86)\Shark PC Protector\uni\en Adds the file Uninstaller.resources.dll"="6/6/2019 7:51 PM, 25600 bytes, A Adds the folder C:\Program Files (x86)\Shark PC Protector\uni\ja-jp Adds the file Uninstaller.resources.dll"="6/6/2019 7:51 PM, 33280 bytes, A Adds the folder C:\Program Files (x86)\Shark PC Protector\uni\x64 Adds the file SQLite.Interop.dll"="4/19/2018 12:45 PM, 1534464 bytes, A Adds the folder C:\Program Files (x86)\Shark PC Protector\uni\x86 Adds the file SQLite.Interop.dll"="4/19/2018 12:45 PM, 1149440 bytes, A Adds the folder C:\Program Files (x86)\Shark PC Protector\x64 Adds the file SQLite.Interop.dll"="4/19/2018 12:45 PM, 1534464 bytes, A Adds the folder C:\Program Files (x86)\Shark PC Protector\x86 Adds the file SQLite.Interop.dll"="4/19/2018 12:45 PM, 1149440 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Shark PC Protector Adds the file Shark PC Protector.lnk"="8/5/2019 9:17 AM, 1231 bytes, A Adds the file Uninstall Shark PC Protector.lnk"="8/5/2019 9:17 AM, 1191 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Shark PC Protector\PC Repair Online\Backup Adds the folder C:\Users\{username}\AppData\Roaming\Shark PC Protector\PC Repair Online\setting Adds the file pbp_sett.ash"="8/5/2019 9:19 AM, 2043904 bytes, A In the existing folder C:\Users\{username}\Downloads Adds the file Trojan.Worm.361461.msh"="8/1/2019 1:21 PM, 259 bytes, A Adds the file Trojan.Worm.720266.msh"="8/1/2019 1:21 PM, 259 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file Shark PC Protector.lnk"="8/5/2019 9:17 AM, 1213 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Shark PC Protector"="8/5/2019 9:17 AM, 3252 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\FT\SPP\Activation] "Insdate"="REG_SZ", "0vk82II+kwASrHMk467xg06RZVH33BDSyywI+67hxko=" "language"="REG_SZ", "en" "languageindex"="REG_SZ", "0" "lap"="REG_SZ", "1qGZiOOFObHe4TpZYfRFLO1Z730z7GABrbVp9jOxcMo=" "lbp"="REG_SZ", "1qGZiOOFObHe4TpZYfRFLO1Z730z7GABrbVp9jOxcMo=" "lr"="REG_SZ", "2NQXF+b/h86YyDSWaGiUCTkIftjJWmJhQDtWYmdPLtw=" "lsp"="REG_SZ", "1qGZiOOFObHe4TpZYfRFLO1Z730z7GABrbVp9jOxcMo=" "PN"="REG_SZ", "+1(888)200-8889" "Program"="REG_SZ", "Shark PC Protector" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\FT\SPP\Activation] "IsTrack"="REG_SZ", "1" "language"="REG_SZ", "en" "languageindex"="REG_SZ", "0" "Program"="REG_SZ", "Shark PC Protector" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E6302A5A-54A4-4A53-9BE7-EA9AC128D298}}_is1] "Comments"="REG_SZ", "Shark PC Protector" "Contact"="REG_SZ", "0800-183-3940" "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\Shark PC Protector\logo.ico" "DisplayName"="REG_SZ", "Shark PC Protector" "DisplayVersion"="REG_SZ", "1.0" "EstimatedSize"="REG_DWORD", 13749 "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\Shark PC Protector" "Inno Setup: Icon Group"="REG_SZ", "Shark PC Protector" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.6 (a)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20190805" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\Shark PC Protector\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Econosoft Global Services Pte. Ltd." "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\Shark PC Protector\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\Shark PC Protector\unins000.exe"" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\COMServices] "DisplayName"="REG_SZ", "COMServices" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, "C:\Program Files (x86)\Shark PC Protector\svc//COMServices.exe" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Shark PC Protector"="REG_SZ", ""C:\Program Files (x86)\Shark PC Protector\ksb.bat"" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/5/19 Scan Time: 9:26 AM Log File: 60fc5026-b752-11e9-88c6-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.11862 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236500 Threats Detected: 70 Threats Quarantined: 70 Time Elapsed: 8 min, 29 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\sharkpcprotector.exe, Quarantined, [1514], [709339],1.0.11862 Module: 2 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\x64\SQLite.Interop.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\sharkpcprotector.exe, Quarantined, [1514], [709339],1.0.11862 Registry Key: 9 PUP.Optional.SharkPCProtector, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\SHARK PC PROTECTOR, Quarantined, [1514], [709341],1.0.11862 PUP.Optional.SharkPCProtector, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{94427936-D024-4D0E-8A85-3496931204CE}, Quarantined, [1514], [709341],1.0.11862 PUP.Optional.SharkPCProtector, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\BOOT\{94427936-D024-4D0E-8A85-3496931204CE}, Quarantined, [1514], [709341],1.0.11862 PUP.Optional.SharkPCProtector, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{E6302A5A-54A4-4A53-9BE7-EA9AC128D298}}_is1, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, HKLM\SOFTWARE\FT\SPP, Quarantined, [1514], [709343],1.0.11862 PUP.Optional.SharkPCProtector, HKLM\SOFTWARE\WOW6432NODE\FT\SPP, Quarantined, [1514], [709343],1.0.11862 PUP.Optional.SharkPCProtector, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\COMSERVICES, Quarantined, [1514], [709345],1.0.11862 PUP.Optional.SharkPCProtector, HKLM\SOFTWARE\MICROSOFT\TRACING\sharkpcprotector_RASAPI32, Quarantined, [1514], [709344],1.0.11862 PUP.Optional.SharkPCProtector, HKLM\SOFTWARE\MICROSOFT\TRACING\sharkpcprotector_RASMANCS, Quarantined, [1514], [709344],1.0.11862 Registry Value: 3 PUP.Optional.SharkPCProtector, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Shark PC Protector, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\COMSERVICES|IMAGEPATH, Quarantined, [1514], [709345],1.0.11862 PUP.Optional.SharkPCProtector, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{94427936-D024-4D0E-8A85-3496931204CE}|PATH, Quarantined, [1514], [709349],1.0.11862 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 17 PUP.Optional.SharkPCProtector, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SHARK PC PROTECTOR, Quarantined, [1514], [709340],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\uni\ja-jp, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\uni\x64, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\uni\x86, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\Backup, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\uni\en, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\ja-jp, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\uni, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\x64, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\x86, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\de, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\en, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\PROGRAM FILES (X86)\SHARK PC PROTECTOR, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Users\{username}\AppData\Roaming\Shark PC Protector\PC Repair Online\setting, Quarantined, [1514], [709336],1.0.11862 PUP.Optional.SharkPCProtector, C:\Users\{username}\AppData\Roaming\Shark PC Protector\PC Repair Online\Backup, Quarantined, [1514], [709336],1.0.11862 PUP.Optional.SharkPCProtector, C:\Users\{username}\AppData\Roaming\Shark PC Protector\PC Repair Online, Quarantined, [1514], [709336],1.0.11862 PUP.Optional.SharkPCProtector, C:\USERS\{username}\APPDATA\ROAMING\SHARK PC PROTECTOR, Quarantined, [1514], [709336],1.0.11862 File: 38 PUP.Optional.SharkPCProtector, C:\WINDOWS\SYSTEM32\TASKS\SHARK PC PROTECTOR, Quarantined, [1514], [709341],1.0.11862 PUP.Optional.SharkPCProtector, C:\USERS\PUBLIC\DESKTOP\SHARK PC PROTECTOR.LNK, Quarantined, [1514], [709337],1.0.11862 PUP.Optional.SharkPCProtector, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SHARK PC PROTECTOR\UNINSTALL SHARK PC PROTECTOR.LNK, Quarantined, [1514], [709340],1.0.11862 PUP.Optional.SharkPCProtector, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Shark PC Protector\Shark PC Protector.lnk, Quarantined, [1514], [709340],1.0.11862 PUP.Optional.SharkPCProtector, C:\PROGRAM FILES (X86)\SHARK PC PROTECTOR\UNINS000.MSG, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\de\sharkpcprotector.resources.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\en\sharkpcprotector.resources.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\ja-jp\sharkpcprotector.resources.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\uni\en\Uninstaller.resources.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\uni\ja-jp\Uninstaller.resources.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\uni\x64\SQLite.Interop.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\uni\x86\SQLite.Interop.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\uni\System.Data.SQLite.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\uni\System.Data.SQLite.xml, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\uni\Uninstaller.exe, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\x64\SQLite.Interop.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\x86\SQLite.Interop.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\Interop.NATUPNPLib.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\Interop.NETCONLib.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\Interop.NetFwTypeLib.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\Interop.Shell32.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\Interop.WUApiLib.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\ksb.bat, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\logo.ico, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\Microsoft.Win32.TaskScheduler.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\sharkpcprotector.exe, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\SharpCompress.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\System.Data.SQLite.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\System.Data.SQLite.xml, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\Sys_Trace.xml, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\unins000.dat, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\unins000.exe, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\WpfAnimatedGif.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\WPFToolkit.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\Shark PC Protector.lnk, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Users\{username}\AppData\Roaming\Shark PC Protector\PC Repair Online\setting\pbp_sett.ash, Quarantined, [1514], [709336],1.0.11862 PUP.Optional.PCBooster, C:\USERS\{username}\APPDATA\LOCAL\TEMP\IS-492UD.TMP\SHARKPCPROTECTOR.TMP, Quarantined, [566], [711523],1.0.11862 PUP.Optional.PCBooster, C:\USERS\{username}\DESKTOP\SHARKPCPROTECTOR.EXE, Quarantined, [566], [711523],1.0.11862 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.