Metallica

Staff
  • Content count

    1,992
  • Joined

  • Last visited

1 Follower

About Metallica

  • Rank
    Master of PUPs
  • Birthday 05/19/1963

Profile Information

  • Location
    Netherlands

Recent Profile Visitors

157,813 profile views
  1. What is TheMovie-Hub.net? The Malwarebytes research team has determined that TheMovie-Hub.net is a search hijacker. These so-called "hijackers" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. How do I know if my computer is affected by TheMovie-Hub.net? You may see these browser extensions: and these warnings during install: and this icon in the Chrome menu-bar: How did TheMovie-Hub.net get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website after a redirect. How do I remove TheMovie-Hub.net? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of TheMovie-Hub.net? If you are using an older version of Malwarebytes, you may have to remove the Extension manually under Tools > More Tools > Extensions. Click on the bin behind the TheMovie-Hub.net entry and confirm Remove in the prompt. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the TheMovie-Hub.net hijacker. It blocks traffic to their domain: Technical details for experts Possible signs in a FRST log: FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\TheMovie-Hub.net_YezkChdTjo@www.themovie-hub.net.xpi [2017-12-08] CHR DefaultSearchURL: Default -> hxxp://www.themovie-hub.net/yhs/search?p={searchTerms}&hspart=mnet&hsimp=yhs-001&type= CHR DefaultSearchKeyword: Default -> Yahoo CHR DefaultSuggestURL: Default -> hxxp://www.themovie-hub.net/sugg/ie?output=fxjson&command={searchTerms}&nResults=10 CHR Extension: (Web Search) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob [2017-12-08] Changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0 Adds the file manifest.json"="12/8/2017 8:14 AM, 2363 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\_metadata Adds the file computed_hashes.json"="12/8/2017 8:14 AM, 6481 bytes, A Adds the file verified_contents.json"="7/21/2017 12:53 PM, 4857 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\core Adds the file background.js"="7/21/2017 12:53 PM, 21614 bytes, A Adds the file backscript.js"="7/21/2017 12:53 PM, 3444 bytes, A Adds the file content.js"="7/21/2017 12:53 PM, 2081 bytes, A Adds the file distribution.js"="7/21/2017 12:53 PM, 11588 bytes, A Adds the file fingerprint.js"="7/21/2017 12:53 PM, 10170 bytes, A Adds the file md5.js"="7/21/2017 12:53 PM, 12297 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\icons\forbessearch Adds the file 128.png"="7/21/2017 12:53 PM, 8885 bytes, A Adds the file 16.png"="7/21/2017 12:53 PM, 4659 bytes, A Adds the file 32.png"="7/21/2017 12:53 PM, 5525 bytes, A Adds the file 48.png"="7/21/2017 12:53 PM, 6314 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\icons\gamessearch Adds the file 128.png"="7/21/2017 12:53 PM, 5172 bytes, A Adds the file 16.png"="7/21/2017 12:53 PM, 2444 bytes, A Adds the file 32.png"="7/21/2017 12:53 PM, 2799 bytes, A Adds the file 48.png"="7/21/2017 12:53 PM, 3262 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\icons\moviesearch Adds the file 128.png"="12/8/2017 8:14 AM, 5052 bytes, A Adds the file 16.png"="12/8/2017 8:14 AM, 558 bytes, A Adds the file 32.png"="12/8/2017 8:14 AM, 1182 bytes, A Adds the file 48.png"="12/8/2017 8:14 AM, 1911 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\icons\musicquest Adds the file 128.png"="7/21/2017 12:53 PM, 4522 bytes, A Adds the file 16.png"="7/21/2017 12:53 PM, 1286 bytes, A Adds the file 32.png"="7/21/2017 12:53 PM, 1280 bytes, A Adds the file 48.png"="7/21/2017 12:53 PM, 2268 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\icons\RecipeSearch Adds the file 128.png"="7/21/2017 12:53 PM, 26213 bytes, A Adds the file 16.png"="7/21/2017 12:53 PM, 23992 bytes, A Adds the file 32.png"="7/21/2017 12:53 PM, 24336 bytes, A Adds the file 48.png"="7/21/2017 12:53 PM, 24655 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\icons\smartSearch Adds the file 128.png"="7/21/2017 12:53 PM, 7526 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\js Adds the file jquery.js"="7/21/2017 12:53 PM, 148159 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\TheMovie-Hub.net_YezkChdTjo@www.themovie-hub.net Adds the file storage.js"="12/8/2017 8:17 AM, 5069 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file TheMovie-Hub.net_YezkChdTjo@www.themovie-hub.net.xpi"="12/8/2017 8:17 AM, 154196 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "adgkifdkpjehfomkfhknjecjdjenaiob"="REG_SZ", "D13CB8B0B04B8B9C3B42CAD85E2629E6F16289A3EC74DABEFED370E05D3A5BFB" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/8/17 Scan Time: 12:07 PM Log File: f9a84604-dc07-11e7-96d1-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.236 Update Package Version: 1.0.3444 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 243421 Threats Detected: 46 Threats Quarantined: 46 Time Elapsed: 1 min, 52 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 12 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\icons\forbessearch, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\icons\RecipeSearch, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\icons\gamessearch, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\icons\moviesearch, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\icons\smartSearch, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\icons\musicquest, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\_metadata, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\icons, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\core, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\js, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\adgkifdkpjehfomkfhknjecjdjenaiob, Quarantined, [2615], [467202],1.0.3444 File: 34 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\core\background.js, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\core\backscript.js, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\core\content.js, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\core\distribution.js, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\core\fingerprint.js, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\core\md5.js, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\icons\forbessearch\128.png, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\icons\forbessearch\16.png, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\icons\forbessearch\32.png, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\icons\forbessearch\48.png, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\icons\gamessearch\128.png, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\icons\gamessearch\16.png, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\icons\gamessearch\32.png, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\icons\gamessearch\48.png, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\icons\moviesearch\128.png, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\icons\moviesearch\16.png, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\icons\moviesearch\32.png, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\icons\moviesearch\48.png, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\icons\musicquest\128.png, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\icons\musicquest\16.png, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\icons\musicquest\32.png, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\icons\musicquest\48.png, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\icons\RecipeSearch\128.png, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\icons\RecipeSearch\16.png, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\icons\RecipeSearch\32.png, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\icons\RecipeSearch\48.png, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\icons\smartSearch\128.png, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\js\jquery.js, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\_metadata\computed_hashes.json, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\_metadata\verified_contents.json, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgkifdkpjehfomkfhknjecjdjenaiob\1.1.30.0_0\manifest.json, Quarantined, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [2615], [467202],1.0.3444 PUP.Optional.TheMovieHub, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile},default\EXTENSIONS\TheMovie-Hub.net_YezkChdTjo@www.themovie-hub.net.xpi, Quarantined, [2615], [467198],1.0.3444 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  2. What is Identity Protector? The Malwarebytes research team has determined that Identity Protector is "nagware". This nagware tries to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems. More information can be found on our Malwarebytes Labs blog. How do I know if I am infected with Identity Protector? This is how the main screen of the potentially unwanted software looks: You will find these icons in your taskbar, your startmenu, and on your desktop: and see these warninga during install: and this screen during "operations": You may see this entry in your list of installed programs: and this task in your list of Scheduled Tasks: How did Identity Protector get on my computer? These so-called PUPs use different methods of getting installed. This particular one was downloaded from their website: How do I remove Identity Protector? Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Identity Protector? Yes, Malwarebytes only removes the main executable of Identity Protector so that people who wish yo keep using it only need to exclude one file. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this potentially unwanted software. As you can see below the full version of Malwarebytes would have protected you against the Identity Protector installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for experts You may see these entries in FRST logs: (IdentityProtector.co) C:\Program Files (x86)\Identity Protector\IdentityProtector.exe C:\ProgramData\IdentityProtector.co C:\Windows\System32\Tasks\Identity Protector_Logon C:\Users\Public\Desktop\Identity Protector.lnk C:\Users\{username}\AppData\Roaming\IdentityProtector.co C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Identity Protector C:\Program Files (x86)\Identity Protector (IdentityProtector.co ) C:\Users\{username}\Desktop\ipsetupsite.exe Identity Protector (HKLM-x32\...\39B262A6-2E6C-4AF9-BEF7-E43DD1035C2B_is1) (Version: 1.0.0.34513 - IdentityProtector.co) Task: {8BF96F7A-A7EC-4998-A5A5-04BEA717DCCD} - System32\Tasks\Identity Protector_Logon => C:\Program Files (x86)\Identity Protector\IdentityProtector.exe [2017-10-30] (IdentityProtector.co) () C:\Program Files (x86)\Identity Protector\UrlHistoryLibrary.dll () C:\Program Files (x86)\Identity Protector\Excel.dll Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\Identity Protector Adds the file danish_iss.ini"="7/17/2017 1:07 PM, 2410 bytes, A Adds the file Dutch_iss.ini"="7/17/2017 1:07 PM, 2608 bytes, A Adds the file english_iss.ini"="7/17/2017 1:07 PM, 2264 bytes, A Adds the file Excel.dll"="10/30/2017 5:09 PM, 76128 bytes, A Adds the file finish_iss.ini"="7/17/2017 1:07 PM, 2376 bytes, A Adds the file French_iss.ini"="7/17/2017 1:07 PM, 2800 bytes, A Adds the file german_iss.ini"="7/17/2017 1:07 PM, 2666 bytes, A Adds the file HtmlRenderer.dll"="10/30/2017 5:09 PM, 229216 bytes, A Adds the file HtmlRenderer.WinForms.dll"="10/30/2017 5:09 PM, 67936 bytes, A Adds the file ICSharpCode.SharpZipLib.dll"="10/30/2017 5:09 PM, 200032 bytes, A Adds the file IdentityProtector.exe"="10/30/2017 5:09 PM, 4313440 bytes, A Adds the file IdentityProtector.exe.config"="9/14/2017 5:09 PM, 3791 bytes, A Adds the file IEDecoder.dll"="10/30/2017 5:09 PM, 188256 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="10/30/2017 5:09 PM, 56672 bytes, A Adds the file Interop.Redemption.dll"="10/30/2017 5:09 PM, 1199456 bytes, A Adds the file IPSRCont.dll"="10/30/2017 5:10 PM, 19024736 bytes, A Adds the file italian_iss.ini"="7/17/2017 1:07 PM, 2540 bytes, A Adds the file itextsharp.dll"="10/30/2017 5:09 PM, 4050272 bytes, A Adds the file japanese_iss.ini"="7/17/2017 1:07 PM, 1852 bytes, A Adds the file langs.db"="9/14/2017 7:09 PM, 711680 bytes, A Adds the file Log.xsl"="4/17/2017 8:21 PM, 43506 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="10/30/2017 5:09 PM, 178528 bytes, A Adds the file NAudio.dll"="10/30/2017 5:09 PM, 478560 bytes, A Adds the file Newtonsoft.Json.dll"="10/30/2017 5:09 PM, 472928 bytes, A Adds the file norwegian_iss.ini"="7/17/2017 1:07 PM, 2366 bytes, A Adds the file portuguese_iss.ini"="7/17/2017 1:06 PM, 2432 bytes, A Adds the file russian_iss.ini"="7/17/2017 1:06 PM, 2502 bytes, A Adds the file spanish_iss.ini"="7/17/2017 1:06 PM, 2556 bytes, A Adds the file swedish_iss.ini"="7/17/2017 1:06 PM, 2278 bytes, A Adds the file System.Data.SQLite.DLL"="10/30/2017 5:09 PM, 298336 bytes, A Adds the file TAFactory.IconPack.dll"="10/30/2017 5:09 PM, 44384 bytes, A Adds the file unins000.dat"="12/7/2017 9:18 AM, 85915 bytes, A Adds the file unins000.exe"="12/7/2017 9:17 AM, 1259360 bytes, A Adds the file unins000.msg"="12/7/2017 9:18 AM, 22701 bytes, A Adds the file UrlHistoryLibrary.dll"="10/30/2017 5:09 PM, 32096 bytes, A Adds the folder C:\Program Files (x86)\Identity Protector\x64 Adds the file SQLite.Interop.dll"="10/30/2017 5:09 PM, 1183072 bytes, A Adds the folder C:\Program Files (x86)\Identity Protector\x86 Adds the file SQLite.Interop.dll"="10/30/2017 5:09 PM, 862048 bytes, A Adds the folder C:\ProgramData\IdentityProtector.co\Identity Protector\offers Adds the file idpieextsetup.exe"="12/7/2017 9:21 AM, 3886440 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Identity Protector Adds the file Buy Identity Protector.lnk"="12/7/2017 9:18 AM, 1160 bytes, A Adds the file Identity Protector.lnk"="12/7/2017 9:18 AM, 1140 bytes, A Adds the file Uninstall Identity Protector.lnk"="12/7/2017 9:18 AM, 1111 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\IdentityProtector.co\Identity Protector Adds the file bkp.xml"="12/7/2017 9:18 AM, 492 bytes, A Adds the file Errorlog.txt"="12/7/2017 9:21 AM, 7298 bytes, A Adds the file udu.xml"="12/7/2017 9:21 AM, 1254 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\IdentityProtector.co\Identity Protector\Backups Adds the file ipsbackup_07122017_091855.bin"="12/7/2017 9:18 AM, 9567 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\IdentityProtector.co\Identity Protector\Result Adds the file mailFF.bin"="12/7/2017 9:18 AM, 800 bytes, A Adds the file resFF.bin"="12/7/2017 9:18 AM, 3808 bytes, A Adds the file resGC.bin"="12/7/2017 9:18 AM, 3616 bytes, A Adds the file resIE.bin"="12/7/2017 9:18 AM, 800 bytes, A Adds the file resMF.bin"="12/7/2017 9:18 AM, 800 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Microsoft\Speech\Files\UserLexicons Adds the file SP_B40A6D1FDC86462E95E493FEB579F20C.dat"="12/7/2017 9:18 AM, 940 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file Identity Protector.lnk"="12/7/2017 9:18 AM, 1122 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Identity Protector_Logon"="12/7/2017 9:18 AM, 3084 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\IdentityProtector.co\Identity Protector] "actflw"="REG_SZ", "0" "affiliateid"="REG_SZ", "" "affired"="REG_DWORD", 1 "cbkpoff"="REG_DWORD", 1 "country"="REG_SZ", "nl" "defaultshow"="REG_SZ", "0" "delay"="REG_DWORD", 0 "EmailURL"="REG_SZ", "" "expired"="REG_DWORD", 0 "hdata"="REG_BINARY, .............................................................................................................................................................................................................................................................................................. "HideCloseNag"="REG_SZ", "1" "Installstring"="REG_SZ", "C:\Program Files (x86)\Identity Protector" "InstallUrl"="REG_SZ", "http://www.identityprotector.co/ip/afterinstall/?" "issilent"="REG_DWORD", 0 "ISTELNO"="REG_DWORD", 1 "LangCode"="REG_SZ", "en" "lstccncount"="REG_DWORD", 0 "lstcleancount"="REG_DWORD", 0 "lstcleandate"="REG_SZ", "" "lstpdwcount"="REG_DWORD", 1 "lstphncount"="REG_DWORD", 1 "lstscandate"="REG_SZ", "12/7/2017 9:18:55 AM" "lstscanstat"="REG_DWORD", 2 "lstscantracecount"="REG_DWORD", 2 "lstsecurecount"="REG_DWORD", 0 "lstselectedtraces"="REG_DWORD", 0 "lstssncount"="REG_DWORD", 0 "lsttotalscancount"="REG_DWORD", 2 "lstvaultstatus"="REG_DWORD", 0 "prereg"="REG_DWORD", 0 "PurchaseURL"="REG_SZ", "http://store.identityprotector.co/ip/price/" "pxl"="REG_SZ", "idp2315_idp2266_idp1203" "reg"="REG_DWORD", 0 "RenewURL"="REG_SZ", "http://store.identityprotector.co/ip/renewal/" "runcam"="REG_DWORD", 0 "runpixel"="REG_SZ", "0" "runsrc"="REG_SZ", "0" "showtn"="REG_DWORD", 1 "showunins"="REG_DWORD", 1 "showwfo"="REG_DWORD", 1 "supporturl"="REG_SZ", "http://www.identityprotector.co/faq/" "TELNO"="REG_SZ", "+31-08-58882839" "TELNO_ar"="REG_SZ", "+54 11 5236 0324" "TELNO_at"="REG_SZ", "+43 (0)720 902 309" "TELNO_au"="REG_SZ", "1800-832-113" "TELNO_br"="REG_SZ", "+55 21 2391 4319" "TELNO_ch"="REG_SZ", "+41 (0)44 508 70 37" "TELNO_de"="REG_SZ", "0800 1822 483" "TELNO_dk"="REG_SZ", "+45 78 73 09 26" "TELNO_es"="REG_SZ", "+34 951 203 537" "TELNO_fi"="REG_SZ", "+358 (0)9 4270 4911" "TELNO_fr"="REG_SZ", "(331)-73443263" "TELNO_gb"="REG_SZ", "0800-031-5332" "TELNO_it"="REG_SZ", "+39 069 4802886" "TELNO_ja"="REG_SZ", "+81-345-895-157" "TELNO_jp"="REG_SZ", "+81-345-895-157" "TELNO_lu"="REG_SZ", "0800 1822 483" "TELNO_nl"="REG_SZ", "+31-08-58882839" "TELNO_no"="REG_SZ", "+47 21 95 01 97" "TELNO_pt"="REG_SZ", "+351 70 750 2094" "TELNO_se"="REG_SZ", "+46-08124-10298" "TELNO_uk"="REG_SZ", "0800-031-5332" "TELNO_us"="REG_SZ", "800-647-4326" "tflg"="REG_DWORD", 0 "utm_campaign"="REG_SZ", "idpsite" "utm_pubid"="REG_SZ", "" "utm_source"="REG_SZ", "idpsite" "WebURL"="REG_SZ", "http://www.identityprotector.co/" "wfoset"="REG_DWORD", 1 "x-base"="REG_SZ", "" "x-ccode"="REG_SZ", "nl" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "163_158_232_234" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ips-pr] "affiliateid"="REG_SZ", "" "country"="REG_SZ", "nl" "LangCode"="REG_SZ", "en" "phone"="REG_SZ", "" "pxl"="REG_SZ", "idp2315_idp2266_idp1203" "utm_campaign"="REG_SZ", "idpsite" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "" "x-at"="REG_SZ", "" "x-context"="REG_SZ", "" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\39B262A6-2E6C-4AF9-BEF7-E43DD1035C2B_is1] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\Identity Protector\IdentityProtector.exe" "DisplayName"="REG_SZ", "Identity Protector" "DisplayVersion"="REG_SZ", "1.0.0.34513" "EstimatedSize"="REG_DWORD", 34185 "HelpLink"="REG_SZ", "http://www.identityprotector.co/faq/" "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\Identity Protector" "Inno Setup: Icon Group"="REG_SZ", "Identity Protector" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.5 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20171207" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\Identity Protector\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "IdentityProtector.co" "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\Identity Protector\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\Identity Protector\unins000.exe" /SILENT" "URLInfoAbout"="REG_SZ", "http://www.identityprotector.co/" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SWRlbnRpdHlQcm90ZWN0b3IuY28=\SWRlbnRpdHkgUHJvdGVjdG9y\ACT] "data"="REG_BINARY, ........................................................................................................................................................................................................................................................................................................................................................................................................._............................... [HKEY_CURRENT_USER\Software\IdentityProtector.co\Identity Protector] "affiliateid"="REG_SZ", "" "Installstring"="REG_SZ", "C:\Program Files (x86)\Identity Protector" "LangCode"="REG_SZ", "en" "pxl"="REG_SZ", "idp2315_idp2266_idp1203" "utm_campaign"="REG_SZ", "idpsite" "utm_pubid"="REG_SZ", "" "utm_source"="REG_SZ", "idpsite" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "163_158_232_234" [HKEY_CURRENT_USER\Software\IdentityProtector.co\Identity Protector\1.0.0.34513] Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/7/17 Scan Time: 9:31 AM Log File: 0f0d50be-db29-11e7-ae87-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.236 Update Package Version: 1.0.3431 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 243253 Threats Detected: 4 Threats Quarantined: 4 Time Elapsed: 1 min, 57 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.IdentityProtector, C:\PROGRAM FILES (X86)\IDENTITY PROTECTOR\IDENTITYPROTECTOR.EXE, Quarantined, [4659], [466296],1.0.3431 Module: 1 PUP.Optional.IdentityProtector, C:\PROGRAM FILES (X86)\IDENTITY PROTECTOR\IDENTITYPROTECTOR.EXE, Quarantined, [4659], [466296],1.0.3431 Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 2 PUP.Optional.IdentityProtector, C:\PROGRAM FILES (X86)\IDENTITY PROTECTOR\IDENTITYPROTECTOR.EXE, Quarantined, [4659], [466296],1.0.3431 PUP.Optional.IdentityProtector, C:\USERS\{username}\DESKTOP\IPSETUPSITE.EXE, Quarantined, [4659], [466296],1.0.3431 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  3. What is fromDOCtoPDF? The Malwarebytes research team has determined that fromDOCtoPDF is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. fromDOCtoPDF is a member of the Mindspark/Ask family now known as IAC Applications. How do I know if my computer is affected by fromDOCtoPDF? You may see this browser extensions/add-ons: these warnings during install: You may see this entry in your list of installed software: and this new homepage in the affected browsers: How did fromDOCtoPDF get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website. How do I remove fromDOCtoPDF? Our program Malwarebytes can detect and remove this potentially unwanted program. You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of fromDOCtoPDF? If you are using an older version of Malwarebytes, you may have to remove the Chrome extension manually under Tools > More Tools > Extensions. Click on the bin behind the fromDOCtoPDF entry and confirm Remove in the prompt. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the fromDOCtoPDF hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/fromdoctopdf/ttab02ie/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid} FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_65Members_@download.fromdoctopdf.com.xpi [2017-12-06] CHR Extension: (FromDocToPDF) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie [2017-12-06] C:\Users\{username}\AppData\Local\FromDocToPDFTooltab FromDocToPDF Internet Explorer Homepage and New Tab (HKCU\...\FromDocToPDFTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION Most significant cahnges made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\FromDocToPDFTooltab Adds the file TooltabExtension.dll"="9/13/2017 8:43 PM, 266864 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0 Adds the file dynamicNewTab.html"="11/7/2017 10:34 AM, 932 bytes, A Adds the file manifest.json"="12/6/2017 9:31 AM, 2498 bytes, A Adds the file product.html"="11/7/2017 10:34 AM, 932 bytes, A Adds the file stubby.html"="11/7/2017 10:34 AM, 932 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\_metadata Adds the file computed_hashes.json"="12/6/2017 9:31 AM, 3620 bytes, A Adds the file verified_contents.json"="11/7/2017 10:34 AM, 4621 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\config Adds the file config.json"="11/7/2017 10:34 AM, 1517 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\icons Adds the file icon128.png"="12/6/2017 9:31 AM, 10808 bytes, A Adds the file icon16.png"="11/7/2017 10:34 AM, 1587 bytes, A Adds the file icon19disabled.png"="11/7/2017 10:34 AM, 1512 bytes, A Adds the file icon19on.png"="12/6/2017 9:31 AM, 702 bytes, A Adds the file icon48.png"="12/6/2017 9:31 AM, 3585 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js Adds the file ajax.js"="11/7/2017 10:34 AM, 2250 bytes, A Adds the file background.js"="11/7/2017 10:34 AM, 19608 bytes, A Adds the file chrome.js"="11/7/2017 10:34 AM, 180 bytes, A Adds the file content_script.js"="11/7/2017 10:34 AM, 5917 bytes, A Adds the file dlp.js"="11/7/2017 10:34 AM, 5690 bytes, A Adds the file dlpHelper.js"="11/7/2017 10:34 AM, 1836 bytes, A Adds the file extension_detect.js"="11/7/2017 10:34 AM, 4343 bytes, A Adds the file index.js"="11/7/2017 10:34 AM, 82 bytes, A Adds the file logger.js"="11/7/2017 10:34 AM, 575 bytes, A Adds the file pageUtils.js"="11/7/2017 10:34 AM, 2241 bytes, A Adds the file product.js"="11/7/2017 10:34 AM, 4434 bytes, A Adds the file storage.js"="11/7/2017 10:34 AM, 1675 bytes, A Adds the file TabManager.js"="11/7/2017 10:34 AM, 189 bytes, A Adds the file TemplateParser.js"="11/7/2017 10:34 AM, 3080 bytes, A Adds the file ul.js"="11/7/2017 10:34 AM, 3824 bytes, A Adds the file urlFragmentActions.js"="11/7/2017 10:34 AM, 2521 bytes, A Adds the file urlUtils.js"="11/7/2017 10:34 AM, 5385 bytes, A Adds the file util.js"="11/7/2017 10:34 AM, 3840 bytes, A Adds the file webtooltabAPI.js"="11/7/2017 10:34 AM, 8357 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\libs Adds the file PartnerId.js"="11/7/2017 10:34 AM, 22130 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kbfheninkdonankpffgbmkilnlkmpdie Adds the file 000003.log"="12/6/2017 9:31 AM, 5071 bytes, A Adds the file CURRENT"="12/6/2017 9:31 AM, 16 bytes, A Adds the file LOCK"="12/6/2017 9:31 AM, 0 bytes, A Adds the file LOG"="12/6/2017 9:32 AM, 412 bytes, A Adds the file LOG.old"="12/6/2017 9:31 AM, 185 bytes, A Adds the file MANIFEST-000001"="12/6/2017 9:31 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_65Members_@download.fromdoctopdf.com Adds the file storage.js"="12/6/2017 9:32 AM, 2501 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _65Members_@download.fromdoctopdf.com.xpi"="12/6/2017 9:28 AM, 55285 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\FromDocToPDF] "Start Page"="REG_SZ", "http://hp.myway.com/fromdoctopdf/ttab02ie/index.html?n={n}&p2=^Y6^mni000^ttab02&ptb={ptb}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "http://@{downloadDomain}.dl.myway.com/uninstall.jhtml?surveyUrl=http%3A%2F%2Fwww.research.net%2F%3D{ptb}%26ptb%3Dttab02" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://hp.myway.com/fromdoctopdf/ttab02ie/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\FromDocToPDFTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "FromDocToPDF Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\FromDocToPDFTooltab\TooltabExtension.dll" U uninstall:FromDocToPDF" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/6/17 Scan Time: 9:42 AM Log File: 62debd36-da61-11e7-ae87-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.236 Update Package Version: 1.0.3421 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 243087 Threats Detected: 56 Threats Quarantined: 56 Time Elapsed: 1 min, 56 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\FromDocToPDFTooltab\TooltabExtension.dll, Quarantined, [777], [356944],1.0.3421 Registry Key: 1 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FromDocToPDFTooltab Uninstall Internet Explorer, Quarantined, [777], [356944],1.0.3421 Registry Value: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FromDocToPDFTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, [225], [352442],1.0.3421 Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [225], [293497],1.0.3421 Data Stream: 0 (No malicious items detected) Folder: 9 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\FromDocToPDFTooltab, Quarantined, [777], [356944],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kbfheninkdonankpffgbmkilnlkmpdie, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\_metadata, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\config, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\icons, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\libs, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KBFHENINKDONANKPFFGBMKILNLKMPDIE\13.321.12.16049_0, Quarantined, [777], [456842],1.0.3421 File: 43 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\FromDocToPDFTooltab\TooltabExtension.dll, Quarantined, [777], [356944],1.0.3421 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\_65Members_@download.fromdoctopdf.com.xpi, Quarantined, [777], [457930],1.0.3421 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kbfheninkdonankpffgbmkilnlkmpdie\000003.log, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kbfheninkdonankpffgbmkilnlkmpdie\CURRENT, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kbfheninkdonankpffgbmkilnlkmpdie\LOCK, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kbfheninkdonankpffgbmkilnlkmpdie\LOG, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kbfheninkdonankpffgbmkilnlkmpdie\LOG.old, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kbfheninkdonankpffgbmkilnlkmpdie\MANIFEST-000001, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KBFHENINKDONANKPFFGBMKILNLKMPDIE\13.321.12.16049_0\CONFIG\CONFIG.JSON, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\icons\icon128.png, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\icons\icon16.png, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\icons\icon19disabled.png, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\icons\icon19on.png, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\icons\icon48.png, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\ajax.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\background.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\chrome.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\content_script.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\dlp.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\dlpHelper.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\extension_detect.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\index.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\logger.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\pageUtils.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\product.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\storage.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\TabManager.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\TemplateParser.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\ul.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\urlFragmentActions.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\urlUtils.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\util.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\webtooltabAPI.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\libs\PartnerId.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\_metadata\computed_hashes.json, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\_metadata\verified_contents.json, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\dynamicNewTab.html, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\manifest.json, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\product.html, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\stubby.html, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\FROMDOCTOPDF.EXE, Quarantined, [225], [365288],1.0.3421 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  4. What is Searchfort Plus? The Malwarebytes research team has determined that Searchfort Plus is a Chrome search hijacker. These so-called "hijackers" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. How do I know if my computer is affected by Searchfort Plus? You may see this Chrome extension: and these warnings during install: And you may see this new setting: How did Searchfort Plus get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore after a redirect. How do I remove Searchfort Plus? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Searchfort Plus? If you are using an older version of Malwarebytes, you may have to remove the Extension manually under Tools > More Tools > Extensions. Click on the bin behind the Searchfort Plus entry and confirm Remove in the prompt. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Searchfort Plus hijacker. It blocks traffic to their domains: Technical details for experts Possible signs in a FRST log: CHR DefaultSearchURL: Default -> hxxp://www.searchfortplus.com/lookup.html?q={searchTerms} CHR DefaultSearchKeyword: Default -> obifind CHR Extension: (Searchfort Plus) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fgmobdghmdbfpeockbljcdiknkeakobp [2017-12-05] Changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fgmobdghmdbfpeockbljcdiknkeakobp\1.0.1_0 Adds the file background.js"="11/2/2017 10:28 AM, 583 bytes, A Adds the file icon128.png"="12/5/2017 9:19 AM, 178 bytes, A Adds the file manifest.json"="12/5/2017 9:19 AM, 1370 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fgmobdghmdbfpeockbljcdiknkeakobp\1.0.1_0\_metadata Adds the file computed_hashes.json"="12/5/2017 9:19 AM, 241 bytes, A Adds the file verified_contents.json"="11/12/2017 1:44 PM, 1525 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "fgmobdghmdbfpeockbljcdiknkeakobp"="REG_SZ", "9BBDCA382A0943F21D3B76DC733525A3F56334D8AA1EFAFA7FB4C6E7E8F921E5" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/5/17 Scan Time: 9:09 AM Log File: 905e7d06-d993-11e7-ae87-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.236 Update Package Version: 1.0.3412 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 242889 Threats Detected: 10 Threats Quarantined: 10 Time Elapsed: 1 min, 55 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 3 PUP.Optional.SearchfortPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fgmobdghmdbfpeockbljcdiknkeakobp\1.0.1_0\_metadata, Quarantined, [4586], [465745],1.0.3412 PUP.Optional.SearchfortPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fgmobdghmdbfpeockbljcdiknkeakobp\1.0.1_0, Quarantined, [4586], [465745],1.0.3412 PUP.Optional.SearchfortPlus, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\fgmobdghmdbfpeockbljcdiknkeakobp, Quarantined, [4586], [465745],1.0.3412 File: 7 PUP.Optional.SearchfortPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fgmobdghmdbfpeockbljcdiknkeakobp\1.0.1_0\_metadata\computed_hashes.json, Quarantined, [4586], [465745],1.0.3412 PUP.Optional.SearchfortPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fgmobdghmdbfpeockbljcdiknkeakobp\1.0.1_0\_metadata\verified_contents.json, Quarantined, [4586], [465745],1.0.3412 PUP.Optional.SearchfortPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fgmobdghmdbfpeockbljcdiknkeakobp\1.0.1_0\background.js, Quarantined, [4586], [465745],1.0.3412 PUP.Optional.SearchfortPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fgmobdghmdbfpeockbljcdiknkeakobp\1.0.1_0\icon128.png, Quarantined, [4586], [465745],1.0.3412 PUP.Optional.SearchfortPlus, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fgmobdghmdbfpeockbljcdiknkeakobp\1.0.1_0\manifest.json, Quarantined, [4586], [465745],1.0.3412 PUP.Optional.SearchfortPlus, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [4586], [465745],1.0.3412 PUP.Optional.SearchfortPlus, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [4586], [465745],1.0.3412 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  5. What is DriverUpdatePlus? The Malwarebytes research team has determined that DriverUpdatePlus is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems. More information can be found on our Malwarebytes Labs blog. How do I know if I am infected with DriverUpdatePlus? This is how the main screen of the sytem optimizer looks: You will find these icons in your taskbar, your startmenu, and on your desktop: and see this warning during install: and this screens during "operations": You may see this entry in your list of installed programs: and this task in your list of Scheduled Tasks: How did DriverUpdatePlus get on my computer? These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website after a redirect: How do I remove DriverUpdatePlus? Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of DriverUpdatePlus? No, Malwarebytes removes DriverUpdatePlus completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this system optimizer. As you can see below the full version of Malwarebytes would have protected you against the DriverUpdatePlus installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for experts You may see these entries in FRST logs: () C:\Program Files (x86)\DriverUpdaterPlus\DriverUpdatePlus.exe C:\ProgramData\BSD C:\ProgramData\DriverUpdatePlus C:\ProgramData\clp C:\Program Files (x86)\DriverUpdaterPlus C:\Windows\System32\Tasks\DriverUpdate Plus Autostart C:\Users\Public\Desktop\DriverUpdate Plus.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverUpdaterPlus C:\Windows\win.ini DriverUpdate Plus (HKLM-x32\...\{0BA34907-EB18-404E-B423-C92C94EF924D}) (Version: 1.0.50 - Speedbit Technology) Task: {18149E5A-04D1-46A3-8BC1-C6573B2AC61F} - System32\Tasks\DriverUpdate Plus Autostart => C:\Program Files (x86)\DriverUpdaterPlus\DriverUpdatePlus.exe [2016-06-23] () Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\DriverUpdaterPlus Adds the file DPInst64.exe"="4/22/2013 1:59 PM, 670720 bytes, A Adds the file DriverHiveEngine.dll"="2/17/2014 10:22 AM, 1779200 bytes, A Adds the file DriverUpdatePlus.exe"="6/23/2016 6:17 PM, 3034816 bytes, A Adds the file Eula.pdf"="6/26/2015 4:45 PM, 69820 bytes, A Adds the file main.ico"="6/10/2016 6:47 PM, 100022 bytes, A Adds the file updater.exe"="6/23/2016 6:17 PM, 511680 bytes, A Adds the folder C:\Program Files (x86)\DriverUpdaterPlus\resources Adds the file account_icon.png"="6/26/2015 4:45 PM, 2983 bytes, A Adds the file account_logo.png"="6/22/2016 3:00 PM, 5494 bytes, A Adds the file action_btn_selected.png"="6/26/2015 4:45 PM, 3268 bytes, A Adds the file action_btn_unselected.png"="6/26/2015 4:45 PM, 1346 bytes, A Adds the file actions_icon.png"="6/26/2015 4:45 PM, 3419 bytes, A Adds the file activate_icon.png"="6/26/2015 4:45 PM, 7784 bytes, A Adds the file alert_popup.png"="6/22/2016 3:00 PM, 14896 bytes, A Adds the file arrow_down.png"="6/26/2015 4:45 PM, 132 bytes, A Adds the file arrow_right.png"="6/26/2015 4:45 PM, 172 bytes, A Adds the file buy_now.png"="6/26/2015 4:45 PM, 21001 bytes, A Adds the file cancel_button_selected.png"="6/26/2015 4:45 PM, 1168 bytes, A Adds the file cancel_button_unselected.png"="6/26/2015 4:45 PM, 1168 bytes, A Adds the file default.png"="6/26/2015 4:45 PM, 16622 bytes, A Adds the file default.theme"="6/26/2015 4:45 PM, 11855 bytes, A Adds the file home_icon.png"="6/26/2015 4:45 PM, 1330 bytes, A Adds the file indicator.png"="6/26/2015 4:45 PM, 11366 bytes, A Adds the file indicator_arrow.png"="6/26/2015 4:45 PM, 1112 bytes, A Adds the file languages.lst"="10/27/2015 6:56 PM, 159 bytes, A Adds the file left_tab_selected.png"="6/26/2015 4:45 PM, 977 bytes, A Adds the file left_tab_unselected.png"="6/26/2015 4:45 PM, 1063 bytes, A Adds the file license1.png"="6/26/2015 4:45 PM, 16622 bytes, A Adds the file license2.png"="6/26/2015 4:45 PM, 19002 bytes, A Adds the file line_brush.png"="6/26/2015 4:45 PM, 2792 bytes, A Adds the file logo.png"="6/23/2016 6:12 PM, 4673 bytes, A Adds the file main.ico"="6/10/2016 6:47 PM, 100022 bytes, A Adds the file main_background_f.png"="6/22/2016 3:00 PM, 23267 bytes, A Adds the file main_background_p.png"="6/22/2016 3:00 PM, 22386 bytes, A Adds the file main_button_selected.png"="6/26/2015 4:45 PM, 1110 bytes, A Adds the file main_button_unselected.png"="6/26/2015 4:45 PM, 1037 bytes, A Adds the file middle_tab_selected.png"="6/26/2015 4:45 PM, 977 bytes, A Adds the file middle_tab_unselected.png"="6/26/2015 4:45 PM, 1063 bytes, A Adds the file minor_button_selected.png"="6/26/2015 4:45 PM, 1195 bytes, A Adds the file minor_button_unselected.png"="6/26/2015 4:45 PM, 1195 bytes, A Adds the file notification_popup.png"="6/22/2016 3:00 PM, 5272 bytes, A Adds the file promo_en_GB.png"="6/26/2015 4:45 PM, 32961 bytes, A Adds the file right_tab_selected.png"="6/26/2015 4:45 PM, 977 bytes, A Adds the file right_tab_unselected.png"="6/26/2015 4:45 PM, 1063 bytes, A Adds the file scan_btn.png"="6/26/2015 5:39 PM, 985 bytes, A Adds the file scan_btn_selected.png"="6/26/2015 4:45 PM, 3268 bytes, A Adds the file scan_btn_unselected.png"="6/26/2015 4:45 PM, 1346 bytes, A Adds the file scan_completed.wav"="4/15/2016 4:42 PM, 1876120 bytes, A Adds the file scan_icon.png"="6/26/2015 4:45 PM, 3114 bytes, A Adds the file scan_result.png"="6/26/2015 4:45 PM, 5299 bytes, A Adds the file scan1.png"="6/26/2015 4:45 PM, 19763 bytes, A Adds the file scan2.png"="6/26/2015 4:45 PM, 20719 bytes, A Adds the file scan3.png"="6/26/2015 4:45 PM, 22322 bytes, A Adds the file selection.png"="6/26/2015 4:45 PM, 108 bytes, A Adds the file settings_icon.png"="6/26/2015 4:45 PM, 4080 bytes, A Adds the file settings_rollup_selected.png"="6/26/2015 4:45 PM, 8901 bytes, A Adds the file settings_rollup_unselected.png"="6/26/2015 4:45 PM, 1264 bytes, A Adds the file sub_tab_selected.png"="6/26/2015 4:45 PM, 1277 bytes, A Adds the file sub_tab_unselected.png"="6/26/2015 4:45 PM, 1300 bytes, A Adds the file tiny_button_selected.png"="6/26/2015 4:45 PM, 382 bytes, A Adds the file tiny_button_unselected.png"="6/26/2015 4:45 PM, 321 bytes, A Adds the file tiny_notification_popup.png"="6/22/2016 3:00 PM, 3370 bytes, A Adds the file ui_en_GB.ts"="5/10/2013 5:41 PM, 12421 bytes, A Adds the file ui_ja_JP.ts"="11/18/2015 1:12 PM, 13858 bytes, A Adds the file ui_ru.ts"="5/10/2013 5:42 PM, 14698 bytes, A Adds the file ui_sv.ts"="6/10/2013 9:49 PM, 12791 bytes, A Adds the file ui_uk.ts"="5/10/2013 5:42 PM, 14639 bytes, A Adds the file ui_zh_CN.ts"="7/28/2015 9:29 AM, 12471 bytes, A Adds the file update1.png"="6/26/2015 4:45 PM, 16622 bytes, A Adds the file update2.png"="6/26/2015 4:45 PM, 24251 bytes, A Adds the file update3.png"="6/26/2015 4:45 PM, 24481 bytes, A Adds the file update4.png"="6/26/2015 4:45 PM, 24003 bytes, A Adds the folder C:\ProgramData\BSD Adds the file bdupdata"="12/4/2017 9:30 AM, 912 bytes, A Adds the folder C:\ProgramData\BSD\DriverHive Adds the file history2.dat"="12/4/2017 9:30 AM, 63 bytes, A Adds the folder C:\ProgramData\BSD\DriverHiveEngine Adds the file scandet2.dat"="12/4/2017 9:30 AM, 51898 bytes, A Adds the file scansummary2.dat"="12/4/2017 9:30 AM, 189 bytes, A Adds the folder C:\ProgramData\clp Adds the file clp.cid"="12/4/2017 9:29 AM, 1274 bytes, HSA Adds the file PB_DU-002.lic"="12/4/2017 9:29 AM, 828 bytes, A Adds the folder C:\ProgramData\DriverUpdatePlus Adds the file updatedata"="12/4/2017 9:29 AM, 496 bytes, A Adds the folder C:\ProgramData\DriverUpdatePlus\logs Adds the file activity.log"="12/4/2017 9:29 AM, 0 bytes, A Adds the file core.log"="12/4/2017 9:29 AM, 0 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverUpdaterPlus Adds the file DriverUpdate Plus.lnk"="12/4/2017 9:28 AM, 2020 bytes, A Adds the file End User Licence Agreement.lnk"="12/4/2017 9:28 AM, 994 bytes, A Adds the file Uninstall DriverUpdate Plus.lnk"="12/4/2017 9:28 AM, 1864 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file DriverUpdate Plus.lnk"="12/4/2017 9:28 AM, 2002 bytes, A In the existing folder C:\Windows Alters the file win.ini In the existing folder C:\Windows\System32\Tasks Adds the file DriverUpdate Plus Autostart"="12/4/2017 9:28 AM, 3312 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\70943AB081BEE4044B329CC249FE29D4] "AdvertiseFlags"="REG_DWORD", 388 "Assignment"="REG_DWORD", 1 "AuthorizedLUAApp"="REG_DWORD", 0 "Clients"="REG_MULTI_SZ, ": " "DeploymentFlags"="REG_DWORD", 3 "InstanceType"="REG_DWORD", 0 "Language"="REG_DWORD", 2057 "PackageCode"="REG_SZ", "893EFCC6042524847B25F6ABB857EE4E" "ProductIcon"="REG_SZ", "C:\Windows\Installer\{0BA34907-EB18-404E-B423-C92C94EF924D}\main.exe" "ProductName"="REG_SZ", "DriverUpdate Plus" "Version"="REG_DWORD", 16777266 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\70943AB081BEE4044B329CC249FE29D4\SourceList\URL] "1"="REG_EXPAND_SZ, "http://speedbit.av-updates.net/releases/du/1.0.50/" "SourceType"="REG_DWORD", 2 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders] "C:\Program Files (x86)\DriverUpdaterPlus\"="REG_SZ", "" "C:\Program Files (x86)\DriverUpdaterPlus\resources\"="REG_SZ", "" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverUpdaterPlus\"="REG_SZ", "1" "C:\Windows\Installer\{0BA34907-EB18-404E-B423-C92C94EF924D}\"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BSD\DriverHiveEngine] "DriverIgnoreList"="REG_SZ", "" "DriverUploadList"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0BA34907-EB18-404E-B423-C92C94EF924D}] "AuthorizedCDFPrefix"="REG_SZ", "" "Comments"="REG_SZ", "This installer database contains the logic and data required to install DriverUpdate Plus." "Contact"="REG_SZ", "" "DisplayName"="REG_SZ", "DriverUpdate Plus" "DisplayVersion"="REG_SZ", "1.0.50" "EstimatedSize"="REG_DWORD", 8607 "HelpLink"="REG_SZ", "" "HelpTelephone"="REG_SZ", "" "InstallDate"="REG_SZ", "20171204" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\DriverUpdaterPlus\" "InstallSource"="REG_SZ", "http://speedbit.av-updates.net/releases/du/1.0.50/" "Language"="REG_DWORD", 2057 "ModifyPath"="REG_EXPAND_SZ, "MsiExec.exe /I{0BA34907-EB18-404E-B423-C92C94EF924D}" "Publisher"="REG_SZ", "Speedbit Technology" "Readme"="REG_SZ", "" "Size"="REG_SZ", "" "UninstallString"="REG_EXPAND_SZ, "MsiExec.exe /I{0BA34907-EB18-404E-B423-C92C94EF924D}" "URLInfoAbout"="REG_SZ", "http://www.driverupdateplus.com" "URLUpdateInfo"="REG_SZ", "" "Version"="REG_DWORD", 16777266 "VersionMajor"="REG_DWORD", 1 "VersionMinor"="REG_DWORD", 0 "WindowsInstaller"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Speedbit Technology\Driver Update Plus] [HKEY_CURRENT_USER\Software\BSD\PCZ] [HKEY_CURRENT_USER\Software\Driver Update] "Language"="REG_SZ", "en_GB" [HKEY_CURRENT_USER\Software\Speedbit Technology\Driver Update Plus] "Language"="REG_SZ", "en_GB" [HKEY_CURRENT_USER\Software\Speedbit Technology\DriverUpdate Plus] "Language"="REG_SZ", "en_GB" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/4/17 Scan Time: 9:46 AM Log File: a25b90da-d8cf-11e7-ae87-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.236 Update Package Version: 1.0.3404 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 242823 Threats Detected: 89 Threats Quarantined: 88 Time Elapsed: 3 min, 17 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\DriverUpdatePlus.exe, Quarantined, [11472], [261525],1.0.3404 Module: 2 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\DriverHiveEngine.dll, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\DriverUpdatePlus.exe, Quarantined, [11472], [261525],1.0.3404 Registry Key: 5 PUP.Optional.DriverUpdatePlus, HKCU\SOFTWARE\SPEEDBIT TECHNOLOGY\Driver Update Plus, Quarantined, [11472], [261555],1.0.3404 PUP.Optional.DriverUpdatePlus, HKCU\SOFTWARE\SPEEDBIT TECHNOLOGY\DriverUpdate Plus, Quarantined, [11472], [261555],1.0.3404 PUP.Optional.DriverUpdatePlus, HKLM\SOFTWARE\WOW6432NODE\SPEEDBIT TECHNOLOGY\Driver Update Plus, Quarantined, [11472], [261529],1.0.3404 PUP.Optional.DriverUpdatePlus, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{0BA34907-EB18-404E-B423-C92C94EF924D}, Quarantined, [11472], [261556],1.0.3404 PUP.Optional.DriverUpdatePlus, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\DriverUpdate Plus Autostart, Quarantined, [11472], [261528],1.0.3404 Registry Value: 1 PUP.Optional.DriverUpdatePlus, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{0BA34907-EB18-404E-B423-C92C94EF924D}|DISPLAYNAME, Quarantined, [11472], [261556],1.0.3404 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 3 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\PROGRAM FILES (X86)\DRIVERUPDATERPLUS, Removal Failed, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DRIVERUPDATERPLUS, Quarantined, [11472], [182468],1.0.3404 File: 77 PUP.Optional.DriverUpdatePlus, C:\USERS\PUBLIC\DESKTOP\DRIVERUPDATE PLUS.LNK, Quarantined, [11472], [261524],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\WINDOWS\SYSTEM32\TASKS\DRIVERUPDATE PLUS AUTOSTART, Quarantined, [11472], [261526],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\PROGRAM FILES (X86)\DRIVERUPDATERPLUS\RESOURCES\PROMO_EN_GB.PNG, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\account_icon.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\account_logo.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\actions_icon.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\action_btn_selected.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\action_btn_unselected.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\activate_icon.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\alert_popup.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\arrow_down.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\arrow_right.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\buy_now.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\cancel_button_selected.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\cancel_button_unselected.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\default.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\default.theme, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\home_icon.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\indicator.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\indicator_arrow.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\languages.lst, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\left_tab_selected.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\license1.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\license2.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\line_brush.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\logo.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\main.ico, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\main_background_f.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\main_background_p.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\main_button_selected.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\main_button_unselected.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\middle_tab_selected.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\minor_button_selected.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\minor_button_unselected.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\notification_popup.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\right_tab_selected.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\right_tab_unselected.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\scan1.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\scan2.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\scan3.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\scan_btn.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\scan_btn_unselected.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\scan_completed.wav, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\scan_icon.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\scan_result.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\selection.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\settings_icon.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\settings_rollup_selected.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\settings_rollup_unselected.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\sub_tab_selected.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\left_tab_unselected.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\middle_tab_unselected.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\scan_btn_selected.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\sub_tab_unselected.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\tiny_button_selected.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\tiny_button_unselected.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\tiny_notification_popup.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\ui_en_GB.ts, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\ui_ja_JP.ts, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\ui_ru.ts, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\ui_sv.ts, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\ui_uk.ts, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\ui_zh_CN.ts, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\update1.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\update2.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\update3.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\resources\update4.png, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\DPInst64.exe, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\DriverHiveEngine.dll, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\DriverUpdatePlus.exe, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\Eula.pdf, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\main.ico, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\Program Files (x86)\DriverUpdaterPlus\updater.exe, Quarantined, [11472], [261525],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverUpdaterPlus\DriverUpdate Plus.lnk, Quarantined, [11472], [182468],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverUpdaterPlus\End User Licence Agreement.lnk, Quarantined, [11472], [182468],1.0.3404 PUP.Optional.DriverUpdatePlus, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverUpdaterPlus\Uninstall DriverUpdate Plus.lnk, Quarantined, [11472], [182468],1.0.3404 PUP.Optional.DriverUpdatePlus.OL, C:\USERS\{username}\DESKTOP\DRIVERUPDATE.EXE, Quarantined, [6921], [465061],1.0.3404 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  6. What is Today in History? The Malwarebytes research team has determined that Today in History is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. How do I know if my computer is affected by Today in History? You may see this browser extension: and these warnings during install: and this new newtab page in the affected browsers: How did Today in History get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore. How do I remove Today in History? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Today in History? If you are using an older version of Malwarebytes, you may have to remove the Extension manually under Tools > More Tools > Extensions. Click on the bin behind the Today in History entry and confirm Remove in the prompt. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Today in History hijacker. It blocks traffic to their domains: Technical details for experts Possible signs in a FRST log: CHR Extension: (Today In History - New Tab) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\llacokknbnbhknmnelnfdmknkpmlpoil [2017-12-01] Changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\llacokknbnbhknmnelnfdmknkpmlpoil\1.0.3310_0 Adds the file Archive created by free jZip.url"="11/26/2013 10:21 AM, 58 bytes, A Adds the file manifest.json"="12/1/2017 9:12 AM, 1164 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\llacokknbnbhknmnelnfdmknkpmlpoil\1.0.3310_0\_metadata Adds the file computed_hashes.json"="12/1/2017 9:12 AM, 791 bytes, A Adds the file verified_contents.json"="11/29/2017 3:30 PM, 2127 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\llacokknbnbhknmnelnfdmknkpmlpoil\1.0.3310_0\html Adds the file newtab.html"="8/3/2017 2:08 PM, 212 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\llacokknbnbhknmnelnfdmknkpmlpoil\1.0.3310_0\icons Adds the file checker.gif"="8/3/2017 2:08 PM, 1095 bytes, A Adds the file icon-128.png"="12/1/2017 9:12 AM, 3590 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\llacokknbnbhknmnelnfdmknkpmlpoil\1.0.3310_0\js Adds the file background.js"="8/3/2017 2:08 PM, 10990 bytes, A Adds the file brand.js"="11/29/2017 3:28 PM, 384 bytes, A Adds the file newtab.js"="8/3/2017 2:08 PM, 111 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "llacokknbnbhknmnelnfdmknkpmlpoil"="REG_SZ", "87EB81ADA385115E5912BF4CFCF5183C21A8E4AC537E383117DC66BA1F2B324A" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/1/17 Scan Time: 12:56 PM Log File: aac08b38-d68e-11e7-b8d5-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.236 Update Package Version: 1.0.3390 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 335864 Threats Detected: 18 Threats Quarantined: 18 Time Elapsed: 2 min, 15 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 6 PUP.Optional.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\llacokknbnbhknmnelnfdmknkpmlpoil, Quarantined, [16553], [464617],1.0.3390 PUP.Optional.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\llacokknbnbhknmnelnfdmknkpmlpoil\1.0.3310_0\_metadata, Quarantined, [16553], [464617],1.0.3390 PUP.Optional.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\llacokknbnbhknmnelnfdmknkpmlpoil\1.0.3310_0\icons, Quarantined, [16553], [464617],1.0.3390 PUP.Optional.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\llacokknbnbhknmnelnfdmknkpmlpoil\1.0.3310_0\html, Quarantined, [16553], [464617],1.0.3390 PUP.Optional.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\llacokknbnbhknmnelnfdmknkpmlpoil\1.0.3310_0\js, Quarantined, [16553], [464617],1.0.3390 PUP.Optional.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\LLACOKKNBNBHKNMNELNFDMKNKPMLPOIL\1.0.3310_0, Quarantined, [16553], [464617],1.0.3390 File: 12 PUP.Optional.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [16553], [464617],1.0.3390 PUP.Optional.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [16553], [464617],1.0.3390 PUP.Optional.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\LLACOKKNBNBHKNMNELNFDMKNKPMLPOIL\1.0.3310_0\JS\BRAND.JS, Quarantined, [16553], [464617],1.0.3390 PUP.Optional.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\llacokknbnbhknmnelnfdmknkpmlpoil\1.0.3310_0\html\newtab.html, Quarantined, [16553], [464617],1.0.3390 PUP.Optional.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\llacokknbnbhknmnelnfdmknkpmlpoil\1.0.3310_0\icons\checker.gif, Quarantined, [16553], [464617],1.0.3390 PUP.Optional.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\llacokknbnbhknmnelnfdmknkpmlpoil\1.0.3310_0\icons\icon-128.png, Quarantined, [16553], [464617],1.0.3390 PUP.Optional.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\llacokknbnbhknmnelnfdmknkpmlpoil\1.0.3310_0\js\background.js, Quarantined, [16553], [464617],1.0.3390 PUP.Optional.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\llacokknbnbhknmnelnfdmknkpmlpoil\1.0.3310_0\js\newtab.js, Quarantined, [16553], [464617],1.0.3390 PUP.Optional.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\llacokknbnbhknmnelnfdmknkpmlpoil\1.0.3310_0\_metadata\computed_hashes.json, Quarantined, [16553], [464617],1.0.3390 PUP.Optional.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\llacokknbnbhknmnelnfdmknkpmlpoil\1.0.3310_0\_metadata\verified_contents.json, Quarantined, [16553], [464617],1.0.3390 PUP.Optional.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\llacokknbnbhknmnelnfdmknkpmlpoil\1.0.3310_0\Archive created by free jZip.url, Quarantined, [16553], [464617],1.0.3390 PUP.Optional.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\llacokknbnbhknmnelnfdmknkpmlpoil\1.0.3310_0\manifest.json, Quarantined, [16553], [464617],1.0.3390 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  7. What is Nix Player? The Malwarebytes research team has determined that Nix Player is a bundler. This so-called bundler installed a browser hijacker. Hijackers manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. How do I know if my computer is affected by Nix Player? You may see this entry in your list of installed software: and these warnings during install: this browser extension: these changed settings: and you will see these icons in your startmenu and on your desktop: This is the mains screen of the program: How did Nix Player get on my computer? Bundlers use different methods for distributing themselves. This particular one was offered as a "necessary" media player. How do I remove Nix Player? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Nix Player? No, Malwarebytes removes Nix Player completely. The shortcut called Nix Player on the desktop can be deleted if it belonged to the potentially unwanted program. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Nix Player hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we would have blocked the download of the installer: Technical details for experts Possible signs in FRST logs: FF NewTab: about:newtab FF DefaultSearchEngine: Yahoo! Powered Search FF SelectedSearchEngine: Yahoo! Powered Search FF Homepage: hxxps://{cc}.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=bgy_bboi_17_48_ssg01&param1=1&param2={Firefox} FF Keyword.URL: user_pref("keyword.URL", true); FF SearchPlugin: C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\searchplugins\yahoo! powered search.xml [2017-11-30] FF Extension: Default - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi [2017-11-30] [not signed] CHR DefaultSearchURL: Default -> hxxp://srchbar.com/?q={searchTerms} CHR DefaultSuggestURL: Default -> hxxp://srch.bar/?s={searchTerms} CHR Extension: (Search Manager) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej [2017-11-30] CHR HKLM\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx CHR HKCU\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx C:\Users\{username}\Desktop\Nix Player.lnk C:\Users\{username}\AppData\Roaming\Nix Player C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Nix Player (Nix Player ) C:\Users\{username}\Downloads\Nix_Player [1].exe Nix Player (HKCU\...\{EBD7166E-C6A6-4b68-80CA-CA08108C76EE} Nix Player_is1) (Version: 1.0.0.0 - Nix Player) Significant alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0 Adds the file 2bfc185be71f44cd73ac81511fc1f5a5.woff"="11/27/2017 11:30 AM, 48112 bytes, A Adds the file b495e340f4ef8924fea0284c1bf9e7ac.woff"="11/27/2017 11:30 AM, 14492 bytes, A Adds the file background.html"="11/27/2017 11:30 AM, 534 bytes, A Adds the file background.v0.0.1.min.js"="11/27/2017 11:30 AM, 3383 bytes, A Adds the file c5a5cbf4dbcaa7064f2bc77f52101aec.otf"="11/27/2017 11:30 AM, 24888 bytes, A Adds the file client.v0.0.1.min.js"="11/27/2017 11:30 AM, 324009 bytes, A Adds the file common.js"="11/27/2017 11:30 AM, 392960 bytes, A Adds the file e_.json"="11/27/2017 11:30 AM, 110 bytes, A Adds the file e5d3501d500d07b0a1e952b0f8a81d78.woff"="11/27/2017 11:30 AM, 16320 bytes, A Adds the file index.html"="11/27/2017 11:30 AM, 1397 bytes, A Adds the file manifest.json"="11/30/2017 10:29 AM, 2232 bytes, A Adds the file popupTab2.html"="11/27/2017 11:30 AM, 3424 bytes, A Adds the file popupTab2.js"="11/27/2017 11:30 AM, 7635 bytes, A Adds the file responseConfig.json"="11/27/2017 11:30 AM, 149704 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\_locales Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\_metadata Adds the file verified_contents.json"="11/27/2017 11:30 AM, 15997 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content Adds the file bundle.v0.0.1.min.css"="11/27/2017 11:30 AM, 4169 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\fonts Adds the file HelveticaNeueLT-Roman.woff"="11/27/2017 11:30 AM, 16320 bytes, A Adds the file HelveticaNeue-Thin.otf"="11/27/2017 11:30 AM, 24888 bytes, A Adds the file neue.woff"="11/27/2017 11:30 AM, 14492 bytes, A Adds the file neue-bold.woff"="11/27/2017 11:30 AM, 48112 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\skin\icons Adds the file 16.png"="11/27/2017 11:30 AM, 615 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\vendor Adds the file md5.min.js"="11/27/2017 11:30 AM, 8209 bytes, A Adds the file react-dom.min.js"="11/27/2017 11:30 AM, 709 bytes, A Adds the file react-with-addons.min.js"="11/27/2017 11:30 AM, 160185 bytes, A Adds the file underscore-min.js"="11/27/2017 11:30 AM, 16449 bytes, A In the existing folder C:\Users\{username}\AppData\LocalLow\Microsoft\Internet Explorer\Services Adds the file searchy.ico"="11/30/2017 10:28 AM, 5430 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Nix Player Adds the file Nix Player.lnk"="11/30/2017 10:30 AM, 1873 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\searchplugins Adds the file yahoo! powered search.xml"="11/30/2017 10:28 AM, 1595 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Nix Player Adds the file FlvPlayer.Core.dll"="11/22/2017 7:10 PM, 44544 bytes, A Adds the file FlvPlayer.Wpf.dll"="11/22/2017 7:10 PM, 35840 bytes, A Adds the file Nix Player.exe"="11/22/2017 7:10 PM, 140288 bytes, A Adds the file unins000.dat"="11/30/2017 10:30 AM, 24107 bytes, A Adds the file unins000.exe"="11/30/2017 10:29 AM, 742053 bytes, A Adds the file Vlc.DotNet.Core.Interops.dll"="11/20/2017 6:34 PM, 94208 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Nix Player\Libraries Adds the file axvlc.dll"="6/4/2017 4:41 PM, 416256 bytes, A Adds the file axvlc.dll.manifest"="6/4/2017 4:41 PM, 304 bytes, A Adds the file libvlc.dll"="6/4/2017 4:41 PM, 111104 bytes, A Adds the file libvlccore.dll"="6/4/2017 4:41 PM, 2285056 bytes, A Adds the file npvlc.dll"="6/4/2017 4:41 PM, 305152 bytes, A Adds the file npvlc.dll.manifest"="6/4/2017 4:41 PM, 304 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Nix Player\Libraries\plugins Adds the file plugins.dat"="11/30/2017 10:32 AM, 41062 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Nix Player\Libraries\plugins\access Adds the file libfilesystem_plugin.dll"="6/4/2017 4:41 PM, 43520 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Nix Player\Libraries\plugins\access_output Adds the file libaccess_output_file_plugin.dll"="6/4/2017 4:41 PM, 35840 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Nix Player\Libraries\plugins\audio_filter Adds the file liba52tofloat32_plugin.dll"="6/4/2017 4:41 PM, 69120 bytes, A Adds the file liba52tospdif_plugin.dll"="6/4/2017 4:41 PM, 34816 bytes, A Adds the file libaudio_format_plugin.dll"="6/4/2017 4:41 PM, 45568 bytes, A Adds the file libaudiobargraph_a_plugin.dll"="6/4/2017 4:41 PM, 41472 bytes, A Adds the file libchorus_flanger_plugin.dll"="6/4/2017 4:41 PM, 39424 bytes, A Adds the file libcompressor_plugin.dll"="6/4/2017 4:41 PM, 42496 bytes, A Adds the file libconverter_fixed_plugin.dll"="6/4/2017 4:41 PM, 36864 bytes, A Adds the file libdolby_surround_decoder_plugin.dll"="6/4/2017 4:41 PM, 36352 bytes, A Adds the file libdtstofloat32_plugin.dll"="6/4/2017 4:41 PM, 182272 bytes, A Adds the file libdtstospdif_plugin.dll"="6/4/2017 4:41 PM, 36864 bytes, A Adds the file libequalizer_plugin.dll"="6/4/2017 4:41 PM, 46592 bytes, A Adds the file libheadphone_channel_mixer_plugin.dll"="6/4/2017 4:41 PM, 41472 bytes, A Adds the file libkaraoke_plugin.dll"="6/4/2017 4:41 PM, 34304 bytes, A Adds the file libmono_plugin.dll"="6/4/2017 4:41 PM, 42496 bytes, A Adds the file libmpgatofixed32_plugin.dll"="6/4/2017 4:41 PM, 135168 bytes, A Adds the file libnormvol_plugin.dll"="6/4/2017 4:41 PM, 37376 bytes, A Adds the file libparam_eq_plugin.dll"="6/4/2017 4:41 PM, 38912 bytes, A Adds the file libsamplerate_plugin.dll"="6/4/2017 4:41 PM, 1518080 bytes, A Adds the file libscaletempo_plugin.dll"="6/4/2017 4:41 PM, 40960 bytes, A Adds the file libsimple_channel_mixer_plugin.dll"="6/4/2017 4:41 PM, 38400 bytes, A Adds the file libspatializer_plugin.dll"="6/4/2017 4:41 PM, 107520 bytes, A Adds the file libspeex_resampler_plugin.dll"="6/4/2017 4:41 PM, 46592 bytes, A Adds the file libtrivial_channel_mixer_plugin.dll"="6/4/2017 4:41 PM, 36352 bytes, A Adds the file libugly_resampler_plugin.dll"="6/4/2017 4:41 PM, 35328 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Nix Player\Libraries\plugins\audio_mixer Adds the file libfixed32_mixer_plugin.dll"="6/4/2017 4:41 PM, 34816 bytes, A Adds the file libfloat32_mixer_plugin.dll"="6/4/2017 4:41 PM, 33792 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Nix Player\Libraries\plugins\audio_output Adds the file libaout_directx_plugin.dll"="6/4/2017 4:41 PM, 49664 bytes, A Adds the file libwaveout_plugin.dll"="6/4/2017 4:41 PM, 51200 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Nix Player\Libraries\plugins\codec Adds the file libavcodec_plugin.dll"="6/4/2017 4:41 PM, 9532416 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Nix Player\Libraries\plugins\video_filter Adds the file libswscale_plugin.dll"="6/4/2017 4:41 PM, 370688 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Nix Player\Libraries\plugins\video_output Adds the file libvmem_plugin.dll"="6/4/2017 4:41 PM, 38912 bytes, A In the existing folder C:\Users\{username}\Desktop Adds the file Nix Player.lnk"="11/30/2017 10:30 AM, 1881 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82D7B48B-A67F-D833-CBE7-FDDBEF8F0143}] "aflt"="REG_SZ", "bgy_bboi_17_48_ssg01" "c_ver"="REG_SZ", "3.26.2.59" "cd"="REG_SZ", "2XzuyEtN2Y1L1QzutDzztDtDtByByByDtDtBzyyByBtDyCyCtN0D0Tzu0StBtCyCtDtN1L2XzutAtFtByCtFtBtFyDzytN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyB0AtByBtD0B0EyEtGyDyByDyBtGtA0B0FtBtGtCtCyE0DtGtB0E0E0FtC0AtAyD0A0A0BtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzyyCtBtAzyzztByEtGtDyB0C0FtGyE0ByCyCtG0AzztB0AtGtB0EtA0Ezz0Fzz0AyEtC0DtB2QtN0A0LzutD" "cr"="REG_SZ", "1761208239" "DT"="REG_SZ", "S2160" "insDate"="REG_SZ", "20171130102837668" "instlRef"="REG_SZ", "b" "st_ver"="REG_SZ", "3.6.0.0" [HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\pilplloabdedfmialnfchjomjmpjcoej] "install_parameter"="REG_SZ", "ew0KCSJhZmx0IjogImJneV9iYm9pXzE3XzQ4X3NzZzAxIiwKCSJjciI6IjE3NjEyMDgyMzkiLAoJImNkIjoiMlh6dXlFdE4yWTFMMVF6dXREenp0RHREdEJ5QnlCeUR0RHRCenl5QnlCdER5Q3lDdE4wRDBUenUwU3RCdEN5Q3REdE4xTDJYenV0QXRGdEJ5Q3RGdEJ0RnlEenl0TjFMMUN6dTFTdE4xTDFHMUIxVjFOMlkxTDFRenUyU3lCMEF0QnlCdEQwQjBFeUV0R3lEeUJ5RHlCdEd0QTBCMEZ0QnRHdEN0Q3lFMER0R3RCMEUwRTBGdEMwQXRBeUQwQTBBMEJ0RDJRdE4xTTFGMUIyWjFWMU4yWTFMMVF6dTJTenl5Q3RCdEF6eXp6dEJ5RXRHdER5QjBDMEZ0R3lFMEJ5Q3lDdEcwQXp6dEIwQXRHdEIwRXRBMEV6ejBGenowQXlFdEMwRHRCMlF0TjBBMEx6dXREIiwKCSJ5Y2MiOiJubCIsCgkicGFyYW0yIjoiJmI9Q2hyb21lJmNjPW5sJnBhPXdpbmd5JmNkPTJYenV5RXROMlkxTDFRenV0RHp6dER0RHRCeUJ5QnlEdER0Qnp5eUJ5QnREeUN5Q3ROMEQwVHp1MFN0QnRDeUN0RHROMUwyWHp1dEF0RnRCeUN0RnRCdEZ5RHp5dE4xTDFDenUxU3ROMUwxRzFCMVYxTjJZMUwxUXp1MlN5QjBBdEJ5QnREMEIwRXlFdEd5RHlCeUR5QnRHdEEwQjBGdEJ0R3RDdEN5RTBEdEd0QjBFMEUwRnRDMEF0QXlEMEEwQTBCdEQyUXROMU0xRjFCMloxVjFOMlkxTDFRenUyU3p5eUN0QnRBenl6enRCeUV0R3REeUIwQzBGdEd5RTBCeUN5Q3RHMEF6enRCMEF0R3RCMEV0QTBFenowRnp6MEF5RXRDMER0QjJRdE4wQTBMenV0RCZjcj0xNzYxMjA4MjM5JmE9Ymd5X2Jib2lfMTdfNDhfc3NnMDEmb3NfdmVyPTYuMSZvcz1XaW5kb3dzKzcrVWx0aW1hdGUiLAoJImNjIjoibmwiLAoJImNfdmVyIjoiMy4yNi4yLjU5IiwKCSJyZWdfdHMiOiIxNTEyMDM3NzQyIgoKfQ==" "update_url"="REG_SZ", "https://clients2.google.com/service/update2/crx" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\pilplloabdedfmialnfchjomjmpjcoej] "install_parameter"="REG_SZ", "ew0KCSJhZmx0IjogImJneV9iYm9pXzE3XzQ4X3NzZzAxIiwKCSJjciI6IjE3NjEyMDgyMzkiLAoJImNkIjoiMlh6dXlFdE4yWTFMMVF6dXREenp0RHREdEJ5QnlCeUR0RHRCenl5QnlCdER5Q3lDdE4wRDBUenUwU3RCdEN5Q3REdE4xTDJYenV0QXRGdEJ5Q3RGdEJ0RnlEenl0TjFMMUN6dTFTdE4xTDFHMUIxVjFOMlkxTDFRenUyU3lCMEF0QnlCdEQwQjBFeUV0R3lEeUJ5RHlCdEd0QTBCMEZ0QnRHdEN0Q3lFMER0R3RCMEUwRTBGdEMwQXRBeUQwQTBBMEJ0RDJRdE4xTTFGMUIyWjFWMU4yWTFMMVF6dTJTenl5Q3RCdEF6eXp6dEJ5RXRHdER5QjBDMEZ0R3lFMEJ5Q3lDdEcwQXp6dEIwQXRHdEIwRXRBMEV6ejBGenowQXlFdEMwRHRCMlF0TjBBMEx6dXREIiwKCSJ5Y2MiOiJubCIsCgkicGFyYW0yIjoiJmI9Q2hyb21lJmNjPW5sJnBhPXdpbmd5JmNkPTJYenV5RXROMlkxTDFRenV0RHp6dER0RHRCeUJ5QnlEdER0Qnp5eUJ5QnREeUN5Q3ROMEQwVHp1MFN0QnRDeUN0RHROMUwyWHp1dEF0RnRCeUN0RnRCdEZ5RHp5dE4xTDFDenUxU3ROMUwxRzFCMVYxTjJZMUwxUXp1MlN5QjBBdEJ5QnREMEIwRXlFdEd5RHlCeUR5QnRHdEEwQjBGdEJ0R3RDdEN5RTBEdEd0QjBFMEUwRnRDMEF0QXlEMEEwQTBCdEQyUXROMU0xRjFCMloxVjFOMlkxTDFRenUyU3p5eUN0QnRBenl6enRCeUV0R3REeUIwQzBGdEd5RTBCeUN5Q3RHMEF6enRCMEF0R3RCMEV0QTBFenowRnp6MEF5RXRDMER0QjJRdE4wQTBMenV0RCZjcj0xNzYxMjA4MjM5JmE9Ymd5X2Jib2lfMTdfNDhfc3NnMDEmb3NfdmVyPTYuMSZvcz1XaW5kb3dzKzcrVWx0aW1hdGUiLAoJImNjIjoibmwiLAoJImNfdmVyIjoiMy4yNi4yLjU5IiwKCSJyZWdfdHMiOiIxNTEyMDM3NzQyIgoKfQ==" "update_url"="REG_SZ", "https://clients2.google.com/service/update2/crx" [HKEY_CURRENT_USER\Software\csastats\ic\0001b697c1f9893aedbfdf6cba3203491bdd733a18fd2b6869d551e874153226] "advertisers_ids"="REG_SZ", "554cb9c7b6" "channel"="REG_SZ", "c2356069e9d1e79ca924378153cfbbfb4d4416b1f99d41a2940bfdb66c5319db" "hmac_sha256_validation"="REG_SZ", "e1524acfa490c565e7793ac737ce8aace113643aceb4479e6aac2fdee2e91e68" "install_id"="REG_SZ", "0001b697c1f9893aedbfdf6cba3203491bdd733a18fd2b6869d551e874153226" "install_time_client"="REG_SZ", "20171130102729172" "install_time_server"="REG_SZ", "20171130042736550" "publisher_id"="REG_SZ", "4a890e7444" "vendor_id"="REG_SZ", "ic" [HKEY_CURRENT_USER\Software\Google\Chrome\Extensions\pilplloabdedfmialnfchjomjmpjcoej] "install_parameter"="REG_SZ", "ew0KCSJhZmx0IjogImJneV9iYm9pXzE3XzQ4X3NzZzAxIiwKCSJjciI6IjE3NjEyMDgyMzkiLAoJImNkIjoiMlh6dXlFdE4yWTFMMVF6dXREenp0RHREdEJ5QnlCeUR0RHRCenl5QnlCdER5Q3lDdE4wRDBUenUwU3RCdEN5Q3REdE4xTDJYenV0QXRGdEJ5Q3RGdEJ0RnlEenl0TjFMMUN6dTFTdE4xTDFHMUIxVjFOMlkxTDFRenUyU3lCMEF0QnlCdEQwQjBFeUV0R3lEeUJ5RHlCdEd0QTBCMEZ0QnRHdEN0Q3lFMER0R3RCMEUwRTBGdEMwQXRBeUQwQTBBMEJ0RDJRdE4xTTFGMUIyWjFWMU4yWTFMMVF6dTJTenl5Q3RCdEF6eXp6dEJ5RXRHdER5QjBDMEZ0R3lFMEJ5Q3lDdEcwQXp6dEIwQXRHdEIwRXRBMEV6ejBGenowQXlFdEMwRHRCMlF0TjBBMEx6dXREIiwKCSJ5Y2MiOiJubCIsCgkicGFyYW0yIjoiJmI9Q2hyb21lJmNjPW5sJnBhPXdpbmd5JmNkPTJYenV5RXROMlkxTDFRenV0RHp6dER0RHRCeUJ5QnlEdER0Qnp5eUJ5QnREeUN5Q3ROMEQwVHp1MFN0QnRDeUN0RHROMUwyWHp1dEF0RnRCeUN0RnRCdEZ5RHp5dE4xTDFDenUxU3ROMUwxRzFCMVYxTjJZMUwxUXp1MlN5QjBBdEJ5QnREMEIwRXlFdEd5RHlCeUR5QnRHdEEwQjBGdEJ0R3RDdEN5RTBEdEd0QjBFMEUwRnRDMEF0QXlEMEEwQTBCdEQyUXROMU0xRjFCMloxVjFOMlkxTDFRenUyU3p5eUN0QnRBenl6enRCeUV0R3REeUIwQzBGdEd5RTBCeUN5Q3RHMEF6enRCMEF0R3RCMEV0QTBFenowRnp6MEF5RXRDMER0QjJRdE4wQTBMenV0RCZjcj0xNzYxMjA4MjM5JmE9Ymd5X2Jib2lfMTdfNDhfc3NnMDEmb3NfdmVyPTYuMSZvcz1XaW5kb3dzKzcrVWx0aW1hdGUiLAoJImNjIjoibmwiLAoJImNfdmVyIjoiMy4yNi4yLjU5IiwKCSJyZWdfdHMiOiIxNTEyMDM3NzQyIgoKfQ==" "update_url"="REG_SZ", "https://clients2.google.com/service/update2/crx" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{EBD7166E-C6A6-4b68-80CA-CA08108C76EE} Nix Player_is1] "DisplayIcon"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Nix Player\Nix Player.exe" "DisplayName"="REG_SZ", "Nix Player" "DisplayVersion"="REG_SZ", "1.0.0.0" "EstimatedSize"="REG_DWORD", 16758 "Inno Setup: App Path"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Nix Player" "Inno Setup: Deselected Tasks"="REG_SZ", "" "Inno Setup: Icon Group"="REG_SZ", "Nix Player" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Selected Tasks"="REG_SZ", "desktopicon" "Inno Setup: Setup Version"="REG_SZ", "5.5.8 (a)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20171130" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Nix Player\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Nix Player" "QuietUninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\Nix Player\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\Nix Player\unins000.exe"" [HKEY_CURRENT_USER\Software\undefined] "Nix_Player [1].exe"="REG_SZ", "1512034148483,http://cdn.bridgeaccesspoint.com/Nix_Player.exe" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/30/17 Scan Time: 11:26 AM Log File: ea295588-d5b8-11e7-ae87-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.236 Update Package Version: 1.0.3379 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 335741 Threats Detected: 143 Threats Quarantined: 143 Time Elapsed: 2 min, 4 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 5 PUP.Optional.InstallCore, HKCU\SOFTWARE\csastats, Delete-on-Reboot, [2], [260986],1.0.3379 PUP.Optional.SearchManager, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\PILPLLOABDEDFMIALNFCHJOMJMPJCOEJ, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, HKCU\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\PILPLLOABDEDFMIALNFCHJOMJMPJCOEJ, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\pilplloabdedfmialnfchjomjmpjcoej, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.ProductSetup, HKCU\SOFTWARE\PRODUCTSETUP, Delete-on-Reboot, [14409], [242047],1.0.3379 Registry Value: 1 PUP.Optional.ProductSetup, HKCU\SOFTWARE\PRODUCTSETUP|TB, Delete-on-Reboot, [14409], [242047],1.0.3379 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 19 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\sitesThumbnails, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\weather, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\icons, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\tiles, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\_locales\pt_BR, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\fonts, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\_locales\en, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\_locales\fr, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\_locales\hi, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\_locales\vi, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\skin\icons, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\_metadata, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\_locales, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\vendor, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\skin, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej, Delete-on-Reboot, [529], [260991],1.0.3379 File: 118 PUP.Optional.SearchManager, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\fonts\HelveticaNeue-Thin.otf, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\fonts\HelveticaNeueLT-Roman.woff, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\fonts\neue-bold.woff, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\fonts\neue.woff, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\icons\128.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\icons\16.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\icons\48.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\icons\close.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\icons\favicon.ico, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\icons\trends.svg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\sitesThumbnails\amazon_tile_v2.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\sitesThumbnails\booking_tile_v2.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\sitesThumbnails\ebay.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\sitesThumbnails\ebay_tile_v2.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\sitesThumbnails\facebook.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\sitesThumbnails\facebook_tile_v2.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\sitesThumbnails\gmail.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\sitesThumbnails\gmail_tile_v2.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\sitesThumbnails\gtranslte.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\sitesThumbnails\pinterest.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\sitesThumbnails\twitter.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\sitesThumbnails\twitter_tile_v2.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\sitesThumbnails\yahoo.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\sitesThumbnails\yahoo_tile_v2.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\sitesThumbnails\youtube.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\sitesThumbnails\youtube_tile_v2.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\tiles\DOC-to-PDF.jpg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\tiles\PDF-to-DOC.jpg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\tiles\Translation.jpg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\tiles\View-PDF.jpg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\weather\01d.svg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\weather\01n.svg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\weather\02d.svg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\weather\02n.svg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\weather\03d.svg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\weather\03n.svg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\weather\04d.svg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\weather\04n.svg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\weather\09d.svg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\weather\09n.svg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\weather\10d.svg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\weather\10n.svg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\weather\11d.svg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\weather\11n.svg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\weather\13d.svg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\weather\13n.svg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\weather\50d.svg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\weather\50n.svg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\eyeglass.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\angle-arrow-down.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\bing.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\bing_large.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\bluesky-bg.jpg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\brush.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\bt.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\clock.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\cloud.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\cupcake-bg.jpg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\desk-bg.jpg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\doodle.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\down.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\enhanced_google.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\gmx_large.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\google.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\google_large.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\hero-bg.jpg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\just-the-box-empty.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\just-the-box.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\mountain-bg.jpg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\pointer2.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\radio-selected.svg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\radio-unselected.svg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\sea-bg.jpg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\settings.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\smallMagnifier.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\star-unselected.svg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\star.svg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\todoc.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\toggle-off.svg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\toggle-on.svg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\topdf.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\transparent_img.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\yahoo.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\yahoo.svg, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\yahoo_large.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\images\yandex.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\content\bundle.v0.0.1.min.css, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\skin\icons\16.png, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\vendor\md5.min.js, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\vendor\react-dom.min.js, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\vendor\react-with-addons.min.js, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\vendor\underscore-min.js, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\_locales\en\messages.json, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\_locales\fr\messages.json, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\_locales\hi\messages.json, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\_locales\pt_BR\messages.json, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\_locales\vi\messages.json, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\_metadata\verified_contents.json, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\2bfc185be71f44cd73ac81511fc1f5a5.woff, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\b495e340f4ef8924fea0284c1bf9e7ac.woff, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\background.html, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\background.v0.0.1.min.js, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\c5a5cbf4dbcaa7064f2bc77f52101aec.otf, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\client.v0.0.1.min.js, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\common.js, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\e5d3501d500d07b0a1e952b0f8a81d78.woff, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\e_.json, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\index.html, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\manifest.json, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\popupTab2.html, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\popupTab2.js, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pilplloabdedfmialnfchjomjmpjcoej\10.1.2.53_0\responseConfig.json, Delete-on-Reboot, [529], [260991],1.0.3379 PUP.Optional.SearchManager, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\LOCAL STORAGE\chrome-extension_pilplloabdedfmialnfchjomjmpjcoej_0.localstorage, Delete-on-Reboot, [529], [453138],1.0.3379 PUP.Optional.WinYahoo, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\PREFS.JS, Replaced, [63], [413431],1.0.3379 PUP.Optional.WinYahoo, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\SEARCHPLUGINS\YAHOO! POWERED SEARCH.XML, Delete-on-Reboot, [63], [413427],1.0.3379 PUP.Optional.InstallCore, C:\USERS\{username}\DESKTOP\NIX_PLAYER.EXE, Delete-on-Reboot, [2], [461898],1.0.3379 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  8. What is InternetSpeedTracker? The Malwarebytes research team has determined that InternetSpeedTracker is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. InternetSpeedTracker is a member of the Mindspark/Ask family now known as IAC Applications. How do I know if my computer is affected by InternetSpeedTracker? You may see this browser extensions/add-ons: these warnings during install: You may see this entry in your list of installed software: and this new homepage in the affected browsers: How did InternetSpeedTracker get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website after a redirect by an ad-rotator. How do I remove InternetSpeedTracker? Our program Malwarebytes can detect and remove this potentially unwanted program. You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of InternetSpeedTracker? If you are using Chrome and an older version of Malwarebytes, you may have to remove the Extension manually under Tools > More Tools > Extensions. Click on the bin behind the InternetSpeedTracker entry and confirm Remove in the prompt. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the InternetSpeedTracker hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/internetspeedtracker/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid} FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_9tMembers_@free.internetspeedtracker.com.xpi [2017-11-29] CHR Extension: (InternetSpeedTracker) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc [2017-11-29] C:\Users\{username}\AppData\Local\Internet Speed TrackerTooltab Internet Speed Tracker Internet Explorer Homepage and New Tab (HKCU\...\Internet Speed TrackerTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION Most significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0 Adds the file dynamicNewTab.html"="11/7/2017 10:40 AM, 932 bytes, A Adds the file manifest.json"="11/29/2017 8:54 AM, 2536 bytes, A Adds the file product.html"="11/7/2017 10:40 AM, 932 bytes, A Adds the file stubby.html"="11/7/2017 10:40 AM, 932 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\_metadata Adds the file computed_hashes.json"="11/29/2017 8:54 AM, 3620 bytes, A Adds the file verified_contents.json"="11/7/2017 10:40 AM, 4621 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\config Adds the file config.json"="11/7/2017 10:40 AM, 1587 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\icons Adds the file icon128.png"="11/29/2017 8:54 AM, 4963 bytes, A Adds the file icon16.png"="11/7/2017 10:40 AM, 559 bytes, A Adds the file icon19disabled.png"="11/7/2017 10:40 AM, 631 bytes, A Adds the file icon19on.png"="11/29/2017 8:54 AM, 630 bytes, A Adds the file icon48.png"="11/29/2017 8:54 AM, 1597 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js Adds the file ajax.js"="11/7/2017 10:40 AM, 2250 bytes, A Adds the file background.js"="11/7/2017 10:40 AM, 19608 bytes, A Adds the file chrome.js"="11/7/2017 10:40 AM, 180 bytes, A Adds the file content_script.js"="11/7/2017 10:40 AM, 5917 bytes, A Adds the file dlp.js"="11/7/2017 10:40 AM, 5690 bytes, A Adds the file dlpHelper.js"="11/7/2017 10:40 AM, 1836 bytes, A Adds the file extension_detect.js"="11/7/2017 10:40 AM, 4343 bytes, A Adds the file index.js"="11/7/2017 10:40 AM, 82 bytes, A Adds the file logger.js"="11/7/2017 10:40 AM, 575 bytes, A Adds the file pageUtils.js"="11/7/2017 10:40 AM, 2241 bytes, A Adds the file product.js"="11/7/2017 10:40 AM, 4434 bytes, A Adds the file storage.js"="11/7/2017 10:40 AM, 1675 bytes, A Adds the file TabManager.js"="11/7/2017 10:40 AM, 189 bytes, A Adds the file TemplateParser.js"="11/7/2017 10:40 AM, 3080 bytes, A Adds the file ul.js"="11/7/2017 10:40 AM, 3824 bytes, A Adds the file urlFragmentActions.js"="11/7/2017 10:40 AM, 2521 bytes, A Adds the file urlUtils.js"="11/7/2017 10:40 AM, 5385 bytes, A Adds the file util.js"="11/7/2017 10:40 AM, 3840 bytes, A Adds the file webtooltabAPI.js"="11/7/2017 10:40 AM, 8357 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\libs Adds the file PartnerId.js"="11/7/2017 10:40 AM, 22130 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kohoehgoafblafjinhplmhcbphgaaobc Adds the file 000003.log"="11/29/2017 8:54 AM, 4961 bytes, A Adds the file CURRENT"="11/29/2017 8:54 AM, 16 bytes, A Adds the file LOCK"="11/29/2017 8:54 AM, 0 bytes, A Adds the file LOG"="11/29/2017 8:54 AM, 185 bytes, A Adds the file MANIFEST-000001"="11/29/2017 8:54 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Internet Speed TrackerTooltab Adds the file TooltabExtension.dll"="8/4/2017 7:01 PM, 266864 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_9tMembers_@free.internetspeedtracker.com Adds the file storage.js"="11/29/2017 8:53 AM, 2472 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _9tMembers_@free.internetspeedtracker.com.xpi"="11/29/2017 8:52 AM, 44694 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "kohoehgoafblafjinhplmhcbphgaaobc"="REG_SZ", "5D62E9F71822E9740CD6B4F38D59B820BC7706AA534FFE42BEFA29FFEB4015AA" [HKEY_CURRENT_USER\Software\Internet Speed Tracker] "Start Page"="REG_SZ", "http://hp.myway.com/internetspeedtracker/ttab02/index.html?n={n}&p2=^BBQ^mni000^TTAB02&ptb={ptb}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "http://@{downloadDomain}.dl.myway.com/uninstall.jhtml?surveyUrl=http%3A%2F%2Fwww.research.net%2Fr%2F66QYSWY%3Fc%3D{ptb}%26ptb%3D^BBQ^mni000^TTAB02" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://hp.myway.com/internetspeedtracker/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Internet Speed TrackerTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "Internet Speed Tracker Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\Internet Speed TrackerTooltab\TooltabExtension.dll" U uninstall:Internet Speed Tracker" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/29/17 Scan Time: 9:06 AM Log File: 2978c292-d4dc-11e7-ae87-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.236 Update Package Version: 1.0.3371 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 335568 Threats Detected: 59 Threats Quarantined: 59 Time Elapsed: 4 min, 31 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\Internet Speed TrackerTooltab\TooltabExtension.dll, Quarantined, [851], [356944],1.0.3371 Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Internet Speed TrackerTooltab Uninstall Internet Explorer, Quarantined, [851], [356944],1.0.3371 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\Internet Speed Tracker, Quarantined, [851], [444113],1.0.3371 Registry Value: 2 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Internet Speed TrackerTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, [260], [352442],1.0.3371 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\Internet Speed Tracker|START PAGE, Quarantined, [851], [444113],1.0.3371 Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [260], [293497],1.0.3371 Data Stream: 0 (No malicious items detected) Folder: 10 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\Internet Speed TrackerTooltab, Quarantined, [851], [356944],1.0.3371 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\_9tMembers_@free.internetspeedtracker.com, Quarantined, [851], [457935],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kohoehgoafblafjinhplmhcbphgaaobc, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\_metadata, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\config, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\icons, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\libs, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KOHOEHGOAFBLAFJINHPLMHCBPHGAAOBC, Quarantined, [851], [456843],1.0.3371 File: 43 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\Internet Speed TrackerTooltab\TooltabExtension.dll, Quarantined, [851], [356944],1.0.3371 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\_9tMembers_@free.internetspeedtracker.com.xpi, Quarantined, [851], [457930],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_9tMembers_@free.internetspeedtracker.com\storage.js, Quarantined, [851], [457935],1.0.3371 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kohoehgoafblafjinhplmhcbphgaaobc\000003.log, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kohoehgoafblafjinhplmhcbphgaaobc\CURRENT, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kohoehgoafblafjinhplmhcbphgaaobc\LOCK, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kohoehgoafblafjinhplmhcbphgaaobc\LOG, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kohoehgoafblafjinhplmhcbphgaaobc\MANIFEST-000001, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KOHOEHGOAFBLAFJINHPLMHCBPHGAAOBC\13.321.12.16092_0\MANIFEST.JSON, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\config\config.json, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\icons\icon128.png, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\icons\icon16.png, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\icons\icon19disabled.png, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\icons\icon19on.png, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\icons\icon48.png, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\ajax.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\background.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\chrome.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\content_script.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\dlp.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\dlpHelper.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\extension_detect.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\index.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\logger.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\pageUtils.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\product.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\storage.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\TabManager.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\TemplateParser.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\ul.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\urlFragmentActions.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\urlUtils.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\util.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\webtooltabAPI.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\libs\PartnerId.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\_metadata\computed_hashes.json, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\_metadata\verified_contents.json, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\dynamicNewTab.html, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\product.html, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\stubby.html, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\INTERNETSPEEDTRACKER.EXE, Quarantined, [260], [365288],1.0.3371 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  9. What is Search App - Music? The Malwarebytes research team has determined that Search App - Music is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This one is a search hijacker. How do I know if my computer is affected by Search App - Music? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and you will see this icon in your Chrome menubar: How did Search App - Music get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was offered as a result of an ad-rotator. How do I remove Search App - Music? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Search App - Music? No, Malwarebytes removes Search App - Music completely. If you are using an older version of Malwarebytes, you may have to remove the Chrome extension manually under Tools > More Tools > Extensions. Click on the bin behind the Search App - Music entry and confirm Remove in the prompt. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Search App - Music hijacker. It would have blocked the site where the hijacker was promoted. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxp://www.blpsearch.com/search?sid=731&aid={APPID}&itype=u&src=ds&p={searchTerms}&tm=0 CHR DefaultSearchKeyword: Default -> BLPSearch CHR Extension: (Search App - Music) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hagddakimkgiioealohceeiaedgpbmjk [2017-11-28] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hagddakimkgiioealohceeiaedgpbmjk\1.1.0.3280_0 Adds the file Archive created by free jZip.url"="11/26/2013 11:21 AM, 58 bytes, A Adds the file manifest.json"="11/28/2017 11:09 AM, 1587 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hagddakimkgiioealohceeiaedgpbmjk\1.1.0.3280_0\_metadata Adds the file computed_hashes.json"="11/28/2017 11:09 AM, 464 bytes, A Adds the file verified_contents.json"="7/27/2017 2:01 PM, 1789 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hagddakimkgiioealohceeiaedgpbmjk\1.1.0.3280_0\icons Adds the file icon-128.png"="11/28/2017 11:09 AM, 8663 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hagddakimkgiioealohceeiaedgpbmjk\1.1.0.3280_0\js Adds the file background.js"="7/27/2017 12:21 PM, 11045 bytes, A Adds the file brand.js"="7/27/2017 12:21 PM, 218 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "hagddakimkgiioealohceeiaedgpbmjk"="REG_SZ", "F485077FE218685DBABBB89BE42EF93A08BEA9682699902D8033E473B54432CB" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/28/17 Scan Time: 11:12 AM Log File: aafd1498-d424-11e7-ae87-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.236 Update Package Version: 1.0.3363 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 335448 Threats Detected: 14 Threats Quarantined: 14 Time Elapsed: 4 min, 2 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 5 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hagddakimkgiioealohceeiaedgpbmjk, Quarantined, [9112], [443081],1.0.3363 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hagddakimkgiioealohceeiaedgpbmjk\1.1.0.3280_0\_metadata, Quarantined, [9112], [443081],1.0.3363 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hagddakimkgiioealohceeiaedgpbmjk\1.1.0.3280_0\icons, Quarantined, [9112], [443081],1.0.3363 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hagddakimkgiioealohceeiaedgpbmjk\1.1.0.3280_0\js, Quarantined, [9112], [443081],1.0.3363 PUP.Optional.BlpSearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HAGDDAKIMKGIIOEALOHCEEIAEDGPBMJK\1.1.0.3280_0, Quarantined, [9112], [443081],1.0.3363 File: 9 PUP.Optional.BlpSearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [9112], [443081],1.0.3363 PUP.Optional.BlpSearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [9112], [443081],1.0.3363 PUP.Optional.BlpSearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HAGDDAKIMKGIIOEALOHCEEIAEDGPBMJK\1.1.0.3280_0\JS\BRAND.JS, Quarantined, [9112], [443081],1.0.3363 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hagddakimkgiioealohceeiaedgpbmjk\1.1.0.3280_0\icons\icon-128.png, Quarantined, [9112], [443081],1.0.3363 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hagddakimkgiioealohceeiaedgpbmjk\1.1.0.3280_0\js\background.js, Quarantined, [9112], [443081],1.0.3363 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hagddakimkgiioealohceeiaedgpbmjk\1.1.0.3280_0\_metadata\computed_hashes.json, Quarantined, [9112], [443081],1.0.3363 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hagddakimkgiioealohceeiaedgpbmjk\1.1.0.3280_0\_metadata\verified_contents.json, Quarantined, [9112], [443081],1.0.3363 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hagddakimkgiioealohceeiaedgpbmjk\1.1.0.3280_0\Archive created by free jZip.url, Quarantined, [9112], [443081],1.0.3363 PUP.Optional.BlpSearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hagddakimkgiioealohceeiaedgpbmjk\1.1.0.3280_0\manifest.json, Quarantined, [9112], [443081],1.0.3363 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  10. What is PCEasyNow? The Malwarebytes research team has determined that PCEasyNow is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems. More information can be found on our Malwarebytes Labs blog. How do I know if I am infected with PCEasyNow? This is how the main screen of the sytem optimizer looks: You will find these icons in your taskbar, your startmenu, and on your desktop: and see this warning during install: and these screens during "operations": You may see this entry in your list of installed programs: How did PCEasyNow get on my computer? These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website: How do I remove PCEasyNow? Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of PCEasyNow? No, Malwarebytes removes PCEasyNow completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this system optimizer. As you can see below the full version of Malwarebytes would have protected you against the PCEasyNow installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for experts You may see these entries in FRST logs: () C:\Program Files (x86)\PCEasyNow\PCEasyNow.exe C:\Users\Public\Desktop\PCEasyNow.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PCEasyNow C:\Program Files (x86)\PCEasyNow PCEasyNow 5.1 (HKLM-x32\...\{31D79A2E-8532-45D2-8F60-8169A16FCDC4}_is1) (Version: 5.1 - Speedy HLDGS) () C:\Program Files (x86)\PCEasyNow\Common.dll () C:\Program Files (x86)\PCEasyNow\RegisterLib.dll () C:\Program Files (x86)\PCEasyNow\Diskdefrag.dll () C:\Program Files (x86)\PCEasyNow\EvidenceMan.dll () C:\Program Files (x86)\PCEasyNow\IEMan.dll () C:\Program Files (x86)\PCEasyNow\RegisterCleanDll.dll () C:\Program Files (x86)\PCEasyNow\RegMan.dll () C:\Program Files (x86)\PCEasyNow\sysback.dll () C:\Program Files (x86)\PCEasyNow\sysFix.dll () C:\Program Files (x86)\PCEasyNow\sysTool.dll () C:\Program Files (x86)\PCEasyNow\WindowsUpdateDll.dll Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\PCEasyNow Adds the file Calc.dll"="5/4/2014 12:45 PM, 17720 bytes, A Adds the file Common.dll"="5/4/2014 12:45 PM, 44856 bytes, A Adds the file DiskDefrag.dll"="5/4/2014 12:45 PM, 161592 bytes, A Adds the file EvidenceMan.dll"="5/4/2014 12:45 PM, 49464 bytes, A Adds the file IEMan.dll"="5/4/2014 12:45 PM, 47416 bytes, A Adds the file license.txt"="3/12/2014 4:02 PM, 19807 bytes, A Adds the file mfc100u.dll"="5/4/2014 12:45 PM, 4423480 bytes, A Adds the file msvcp100.dll"="5/4/2014 12:45 PM, 421688 bytes, A Adds the file msvcr100.dll"="5/4/2014 12:45 PM, 774456 bytes, A Adds the file PCEasyNow.exe"="5/4/2014 12:45 PM, 15707448 bytes, A Adds the file RegisterCleanDll.dll"="5/4/2014 12:45 PM, 636728 bytes, A Adds the file RegisterLib.dll"="5/4/2014 12:45 PM, 66872 bytes, A Adds the file RegisterManager.exe"="5/4/2014 12:45 PM, 93496 bytes, A Adds the file RegMan.dll"="5/4/2014 12:45 PM, 63800 bytes, A Adds the file sysback.dll"="5/4/2014 12:45 PM, 124216 bytes, A Adds the file sysFix.dll"="5/4/2014 12:45 PM, 61240 bytes, A Adds the file sysTool.dll"="5/4/2014 12:45 PM, 47416 bytes, A Adds the file unins000.dat"="11/27/2017 9:29 AM, 22489 bytes, A Adds the file unins000.exe"="11/27/2017 9:28 AM, 1174979 bytes, A Adds the file WindowsUpdateDll.dll"="5/4/2014 12:45 PM, 31032 bytes, A Adds the folder C:\Program Files (x86)\PCEasyNow\dic\ar Adds the folder C:\Program Files (x86)\PCEasyNow\dic\cn Adds the folder C:\Program Files (x86)\PCEasyNow\dic\de Adds the folder C:\Program Files (x86)\PCEasyNow\dic\en Adds the file backup.ini"="2/15/2012 3:10 PM, 11760 bytes, A Adds the file Evident.ini"="2/12/2012 1:06 AM, 7902 bytes, A Adds the file frame.ini"="3/12/2014 4:06 PM, 15450 bytes, A Adds the file IETools.ini"="2/12/2012 1:06 AM, 386 bytes, A Adds the file ScanClean.ini"="2/15/2012 3:17 PM, 12594 bytes, A Adds the file SysOp.ini"="2/15/2012 3:36 PM, 16592 bytes, A Adds the file systemfix.ini"="2/14/2012 2:51 PM, 16402 bytes, A Adds the file systemtool.ini"="2/14/2012 3:31 PM, 26452 bytes, A Adds the folder C:\Program Files (x86)\PCEasyNow\dic\es Adds the folder C:\Program Files (x86)\PCEasyNow\dic\fr Adds the folder C:\Program Files (x86)\PCEasyNow\dic\hk Adds the folder C:\Program Files (x86)\PCEasyNow\dic\it Adds the folder C:\Program Files (x86)\PCEasyNow\dic\jp Adds the folder C:\Program Files (x86)\PCEasyNow\dic\nl Adds the folder C:\Program Files (x86)\PCEasyNow\dic\pt Adds the folder C:\Program Files (x86)\PCEasyNow\FullBackup Adds the folder C:\Program Files (x86)\PCEasyNow\regbackup Adds the folder C:\Program Files (x86)\PCEasyNow\update Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PCEasyNow Adds the file PCEasyNow on the Web.url"="11/27/2017 9:29 AM, 51 bytes, A Adds the file PCEasyNow.lnk"="11/27/2017 9:29 AM, 1037 bytes, A Adds the file Uninstall PCEasyNow.lnk"="11/27/2017 9:29 AM, 1032 bytes, A Adds the file update.lnk"="11/27/2017 9:29 AM, 912 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file PCEasyNow.lnk"="11/27/2017 9:29 AM, 1019 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\pceasynow\Param\RegScore] "LastScanScore"="REG_DWORD", 64 "LastScanTime"="REG_EXPAND_SZ, "2017-11-27_09:32:10" "RegCleanErrorCount"="REG_DWORD", 92 "ScanEvidenceErrorCount"="REG_DWORD", 302 "ScanFileAssociateErrorCount"="REG_DWORD", 2 "ScanJunkFileErrorCount"="REG_DWORD", 53 "ScanShortcutErrorCount"="REG_DWORD", 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{31D79A2E-8532-45D2-8F60-8169A16FCDC4}_is1] "DisplayName"="REG_SZ", "PCEasyNow 5.1" "DisplayVersion"="REG_SZ", "5.1" "EstimatedSize"="REG_DWORD", 39804 "HelpLink"="REG_SZ", "http://www.PCEasyNow.com/" "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\PCEasyNow" "Inno Setup: Deselected Tasks"="REG_SZ", "" "Inno Setup: Icon Group"="REG_SZ", "PCEasyNow" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Selected Tasks"="REG_SZ", "desktopicon,schtasks" "Inno Setup: Setup Version"="REG_SZ", "5.4.3 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20171127" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\PCEasyNow\" "MajorVersion"="REG_DWORD", 5 "MinorVersion"="REG_DWORD", 1 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Speedy HLDGS" "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\PCEasyNow\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\PCEasyNow\unins000.exe"" "URLInfoAbout"="REG_SZ", "http://www.PCEasyNow.com/" "URLUpdateInfo"="REG_SZ", "http://www.PCEasyNow.com/" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PCEasyNow\Param] "Lang"="REG_SZ", "1" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PCEasyNow\Param\RegScore] "LastScanScore"="REG_DWORD", 0 Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/27/17 Scan Time: 9:38 AM Log File: 5493b84b-d34e-11e7-a4d4-080027750297.json Administrator: Yes -Software Information- Version: 3.2.2.2018 Components Version: 1.0.212 Update Package Version: 1.0.3355 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 335397 Threats Detected: 150 Threats Quarantined: 150 Time Elapsed: 5 min, 42 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.PCEasyNow.TskLnk, C:\PROGRAM FILES (X86)\PCEASYNOW\PCEASYNOW.EXE, Quarantined, [16333], [462560],1.0.3355 Module: 15 PUP.Optional.PCEasyNow.TskLnk, C:\PROGRAM FILES (X86)\PCEASYNOW\PCEASYNOW.EXE, Quarantined, [16333], [462560],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\Common.dll, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\DiskDefrag.dll, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\EvidenceMan.dll, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\IEMan.dll, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\mfc100u.dll, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\msvcp100.dll, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\msvcr100.dll, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\RegisterCleanDll.dll, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\RegisterLib.dll, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\RegMan.dll, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\sysback.dll, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\sysFix.dll, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\sysTool.dll, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\WindowsUpdateDll.dll, Quarantined, [16335], [462557],1.0.3355 Registry Key: 3 PUP.Optional.PCEasyNow, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{31D79A2E-8532-45D2-8F60-8169A16FCDC4}_is1, Quarantined, [16335], [462561],1.0.3355 PUP.Optional.PCEasyNow, HKLM\SOFTWARE\WOW6432NODE\PCEasyNow, Quarantined, [16335], [462562],1.0.3355 PUP.Optional.PCEasyNow, HKLM\SOFTWARE\pceasynow, Quarantined, [16335], [462562],1.0.3355 Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 17 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\FullBackup, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\regbackup, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\ar, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\cn, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\de, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\en, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\es, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\fr, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\hk, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\it, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\jp, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\nl, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\pt, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\update, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\PROGRAM FILES (X86)\PCEASYNOW, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\PCEASYNOW, Quarantined, [16335], [462558],1.0.3355 File: 114 PUP.Optional.PCEasyNow.TskLnk, C:\PROGRAM FILES (X86)\PCEASYNOW\PCEASYNOW.EXE, Quarantined, [16333], [462560],1.0.3355 PUP.Optional.PCEasyNow, C:\USERS\PUBLIC\DESKTOP\PCEASYNOW.LNK, Quarantined, [16335], [462559],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\ar\backup.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\ar\Evident.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\ar\frame.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\ar\IETools.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\ar\ScanClean.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\ar\SysOp.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\ar\systemfix.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\ar\systemtool.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\cn\backup.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\cn\Evident.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\cn\frame.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\cn\IETools.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\cn\ScanClean.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\cn\SysOp.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\cn\systemfix.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\cn\systemtool.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\de\backup.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\de\Evident.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\de\frame.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\de\IETools.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\de\ScanClean.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\de\SysOp.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\de\systemfix.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\de\systemtool.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\en\backup.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\en\Evident.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\en\frame.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\en\IETools.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\en\ScanClean.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\en\SysOp.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\en\systemfix.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\en\systemtool.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\es\backup.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\es\Evident.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\es\frame.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\es\IETools.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\es\ScanClean.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\es\SysOp.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\es\systemfix.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\es\systemtool.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\fr\backup.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\fr\Evident.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\fr\frame.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\fr\IETools.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\fr\ScanClean.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\fr\SysOp.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\fr\systemfix.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\fr\systemtool.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\hk\backup.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\hk\Evident.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\hk\frame.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\hk\IETools.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\hk\ScanClean.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\hk\SysOp.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\hk\systemfix.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\hk\systemtool.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\it\backup.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\it\Evident.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\it\frame.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\it\IETools.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\it\ScanClean.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\it\SysOp.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\it\systemfix.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\it\systemtool.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\jp\backup.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\jp\Evident.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\jp\frame.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\jp\IETools.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\jp\ScanClean.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\jp\SysOp.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\jp\systemfix.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\jp\systemtool.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\nl\backup.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\nl\Evident.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\nl\frame.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\nl\IETools.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\nl\ScanClean.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\nl\SysOp.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\nl\systemfix.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\nl\systemtool.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\pt\backup.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\pt\Evident.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\pt\frame.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\pt\IETools.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\pt\ScanClean.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\pt\SysOp.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\pt\systemfix.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\dic\pt\systemtool.ini, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\Calc.dll, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\Common.dll, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\DiskDefrag.dll, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\EvidenceMan.dll, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\IEMan.dll, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\license.txt, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\mfc100u.dll, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\msvcp100.dll, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\msvcr100.dll, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\RegisterCleanDll.dll, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\RegisterLib.dll, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\RegisterManager.exe, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\RegMan.dll, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\sysback.dll, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\sysFix.dll, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\sysTool.dll, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\unins000.dat, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\unins000.exe, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\Program Files (x86)\PCEasyNow\WindowsUpdateDll.dll, Quarantined, [16335], [462557],1.0.3355 PUP.Optional.PCEasyNow, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PCEasyNow\PCEasyNow on the Web.url, Quarantined, [16335], [462558],1.0.3355 PUP.Optional.PCEasyNow, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PCEasyNow\PCEasyNow.lnk, Quarantined, [16335], [462558],1.0.3355 PUP.Optional.PCEasyNow, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PCEasyNow\Uninstall PCEasyNow.lnk, Quarantined, [16335], [462558],1.0.3355 PUP.Optional.PCEasyNow, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PCEasyNow\update.lnk, Quarantined, [16335], [462558],1.0.3355 PUP.Optional.PCEasyNow, C:\USERS\{username}\DESKTOP\SETUP.EXE, Quarantined, [16335], [462556],1.0.3355 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  11. Backing up Registry with ERUNT Modifying the registry may create unforeseen results, so we always recommend creating a backup prior to doing that! Please download ERUNT and save the file to the desktop. Install ERUNT by following the prompts, but say No to the portion that asks you to add ERUNT to the startup folder. Right-click on the icon and select Run as Administrator to start the tool. Leave the default location (C:\WINDOWS\ERDNT) as a place for your backup. Make sure that System registry and Current user registry are ticked. The third option Other open users registries is optional. Press OK to backup and then press YES to create the folder. This tool won't generate any report. You can uninstall it after you are done with the cleaning. Registry Fix We need to prepare a fix file first. Press the + R on your keyboard at the same time. A Run window should appear in the lower left corner. Type in notepad.exe and press Enter. In the shown window paste in the following script. Make sure that all of the code box content is pasted! Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] "legalnoticecaption"=- "legalnoticetext"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "LegalNoticeCaption"=- "LegalNoticeText"=- Go to File menu and select Save as. Make sure that the Save as type option is set to All Files (*.*) and the place to save will be your desktop. Name the file fix.reg and select Save. After that, your prepared fix.reg file should be located on your desktop. Now we need to import the file into the registry. Locate the fix.reg file on your desktop. Right-click the icon of your file and select Merge. You'll be prompted about adding the information to the registry. Please agree. After this please manually reboot your machine.
  12. What is Troubleshooter? The Malwarebytes research team has determined that Troubleshooter is a Tech Support Scam. This one tries to get you to send $25 to their PayPal account. How do I know if my computer is affected by Troubleshooter? You will see these screens shortly after the file is executed: Clicking Next on the second one gets you this screen: and this one if you follow through: and this one when you try to close your computer after Ctrl-Alt-Del: How did Troubleshooter get on my computer? Tech Support Scammers use different methods for distributing themselves. This particular one was offered as a cracked software installer. How do I remove Troubleshooter? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application, but due to the nature of the infection this will require a few extra steps. Reboot your computer into "Safe Mode". You will see a black screen with Safe Mode in the corners. Use the Ctrl-Alt-Del keys and Start Task Manager from the resulting screen. In the Windows Task manager click File > New Task (Run...). In the prompt type %temp% and click OK. This will open the Temp folder. In that folder find the folder csrvc. In that folder delete the file Troubleshoot.exe Then go back to the Windows Task manager and click File > New Task (Run...). In the prompt type services.msc and click OK. In the list of services find the one called csrvc and rightclick on it. In the poperties screen set the "Startup type" to Disabled. Then use Ctrl-Alt-Del again and Reboot the computer from the resulting screen. After the reboot use the Ctrl-Alt-Del buttons again to Start Task Manager from the resulting screen. Then go back to the Windows Task manager and click File > New Task (Run...). In the prompt type explorer and click OK. You should now have access to your Desktop again. Then continue with the instructions below. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Troubleshooter? No, Malwarebytes removes Troubleshooter completely. You can uninstall adwizz from the list of installed Programs and Features You may still see this message when you reboot: If this is true, and you want to remove it, follow the instructions in the reply to this post. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Tech Support Scam. and blocks the download of additional files: Technical details for experts You may see these entries in FRST logs: HKLM\...\Winlogon: [Shell] C:\Users\{username}\AppData\Local\Temp\csrvc\Troubleshoot.exe, [ ] () <=== ATTENTION HKLM\...\Winlogon: [LegalNoticeCaption] Windows Security Warning !! HKLM\...\Winlogon: [LegalNoticeText] Windows has encountered an unexpected error 0xc0000e9. Your computer is missing .dll files resulting in computer failure. The operating system is not able to load windows kernel files. Repair windows kernel and .dll files with the help of technicians online to prevent hard drive crash or complete data loss. Rebooting the computer multiple times will result in permanent operating system failure. S4 csrvc; C:\Users\{username}\AppData\Local\Temp\csrvc\csrvc.exe [56832 2017-11-24] () [File not signed] C:\Users\{username}\Desktop\InstallUtil.InstallLog C:\Program Files\adwizz Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\adwizz Adds the file adwizz.exe"="11/24/2017 9:05 AM, 67072 bytes, A In the existing folder C:\Users\{username}\Desktop Adds the file InstallUtil.InstallLog"="11/24/2017 9:05 AM, 664 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\csrvc] "Adfly_Urls"="REG_SZ", "" "Banner_Act"="REG_SZ", "True" "BottumBrnAd"="REG_SZ", "" "Computer_Name"="REG_SZ", "{computername}" "Country"="REG_SZ", "" "Cversion"="REG_SZ", "" "Dversion"="REG_SZ", "" "FileLocation"="REG_SZ", "C:\Users\{username}\AppData\Local\Temp\csrvc" "GUID"="REG_SZ", "" "HDD_SerialNo"="REG_SZ", "" "InstalationDateTime"="REG_SZ", "2017-11-24 08:05:22 AM" "Install_ServiceProvider"="REG_SZ", "" "Installation_IP"="REG_SZ","" "IP"="REG_SZ", "" "IsMastered"="REG_SZ", "" "KC_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KF_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KL_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KM_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KT_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KU_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KU_URL"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "Last_IP"="REG_SZ", "" "Last_Seen"="REG_SZ", "2017-11-24 08:05:22 AM" "LeftBrnAd"="REG_SZ", "" "LocalDateTime"="REG_SZ", "" "Logo"="REG_SZ", "" "MAC"="REG_SZ", "" "Manufacturer"="REG_SZ", "" "Message"="REG_SZ", "" "Model"="REG_SZ", "VirtualBox" "Name_OS"="REG_SZ", "Microsoft Windows 7 Ultimate " "PopUp_Act"="REG_SZ", "True" "PopUp_Color"="REG_SZ", "" "Price"="REG_SZ", "$25 USD" "Processor"="REG_SZ", "Intel(R) Core(TM) i7-4720HQ CPU @ 2.60GHz" "RAM"="REG_SZ", "2GB" "Restarter"="REG_SZ", "" "RigthBrnAd"="REG_SZ", "" "ScreenShot"="REG_SZ", "" "SoftwareVersion"="REG_SZ", "3.3" "SysUsername"="REG_SZ", "{username}" "TaskKill"="REG_SZ", "" "TimeZone"="REG_SZ", "" "TollFreeNo"="REG_SZ", "" "TopBrnAd"="REG_SZ", "" "UID_Os"="REG_SZ", "" "Username"="REG_SZ", "khurpechi@gmail.com" "WasOffline"="REG_SZ", "False" "WindowsBrnAd"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "DisabledHotkeys"="REG_SZ", "ER" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] "legalnoticecaption" = REG_SZ, "Windows Security Warning !!" "legalnoticetext" = REG_SZ, "Windows has encountered an unexpected error 0xc0000e9. Your computer is missing .dll files resulting in computer failure. The operating system is not able to load windows kernel files. Repair windows kernel and .dll files with the help of technicians online to prevent hard drive crash or complete data loss. Rebooting the computer multiple times will result in permanent operating system failure." [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\adwizz] "DisplayIcon"="REG_SZ", "C:\Program Files\adwizz\adwizz.exe" "DisplayName"="REG_EXPAND_SZ, "adwizz" "DisplayVersion"="REG_SZ", "v1.0" "InstallLocation"="REG_EXPAND_SZ, "C:\Program Files\adwizz" "Publisher"="REG_SZ", "adwizz" "UninstallString"="REG_EXPAND_SZ, "C:\Program Files\adwizz\Uninstall.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "LegalNoticeCaption" = REG_SZ, "Windows Security Warning !!" "LegalNoticeText" = REG_SZ, "Windows has encountered an unexpected error 0xc0000e9. Your computer is missing .dll files resulting in computer failure. The operating system is not able to load windows kernel files. Repair windows kernel and .dll files with the help of technicians online to prevent hard drive crash or complete data loss. Rebooting the computer multiple times will result in permanent operating system failure." "Shell" = REG_SZ, "C:\Users\{username}\AppData\Local\Temp\csrvc\Troubleshoot.exe," "Userinit" = REG_SZ, "" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control] "SystemStartOptions" = REG_SZ, " NOEXECUTE=OPTIN SAFEBOOT:MINIMAL SOS BOOTLOG NOGUIBOOT BOOTLOGO" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Option] "OptionValue"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment] "SAFEBOOT_OPTION"="REG_SZ", "MINIMAL" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\Windows\CurrentVersion\csrvc] "Adfly_Urls"="REG_SZ", "" "Banner_Act"="REG_SZ", "True" "BottumBrnAd"="REG_SZ", "" "Computer_Name"="REG_SZ", "{computername}" "Country"="REG_SZ", "" "Cversion"="REG_SZ", "" "Dversion"="REG_SZ", "" "FileLocation"="REG_SZ", "C:\Users\{username}\AppData\Local\Temp\csrvc" "GUID"="REG_SZ", "" "HDD_SerialNo"="REG_SZ", "" "InstalationDateTime"="REG_SZ", "2017-11-24 08:05:22 AM" "Install_ServiceProvider"="REG_SZ", "Instera" "Installation_IP"="REG_SZ", "" "IP"="REG_SZ", "" "IsMastered"="REG_SZ", "" "KC_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KF_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KL_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KM_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KT_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KU_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KU_URL"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "Last_IP"="REG_SZ", "" "Last_Seen"="REG_SZ", "2017-11-24 08:05:22 AM" "LeftBrnAd"="REG_SZ", "" "LocalDateTime"="REG_SZ", "" "Logo"="REG_SZ", "" "MAC"="REG_SZ", "08-00-27-75-02-97" "Manufacturer"="REG_SZ", "" "Message"="REG_SZ", "" "Model"="REG_SZ", "VirtualBox" "Name_OS"="REG_SZ", "Microsoft Windows 7 Ultimate " "PopUp_Act"="REG_SZ", "True" "PopUp_Color"="REG_SZ", "" "Price"="REG_SZ", "$25 USD" "Processor"="REG_SZ", "Intel(R) Core(TM) i7-4720HQ CPU @ 2.60GHz" "RAM"="REG_SZ", "2GB" "Restarter"="REG_SZ", "" "RigthBrnAd"="REG_SZ", "" "ScreenShot"="REG_SZ", "" "SoftwareVersion"="REG_SZ", "3.3" "SysUsername"="REG_SZ", "{username}" "TaskKill"="REG_SZ", "" "TimeZone"="REG_SZ", "" "TollFreeNo"="REG_SZ", "" "TopBrnAd"="REG_SZ", "" "UID_Os"="REG_SZ", "" "Username"="REG_SZ", "khurpechi@gmail.com" "WasOffline"="REG_SZ", "False" "WindowsBrnAd"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\Windows\CurrentVersion\csrvc] "Adfly_Urls"="REG_SZ", "" "Banner_Act"="REG_SZ", "True" "BottumBrnAd"="REG_SZ", "" "Computer_Name"="REG_SZ", "{computername}" "Country"="REG_SZ", "" "Cversion"="REG_SZ", "" "Dversion"="REG_SZ", "" "FileLocation"="REG_SZ", "C:\Users\{username}\AppData\Local\Temp\csrvc" "GUID"="REG_SZ", "" "HDD_SerialNo"="REG_SZ", "" "InstalationDateTime"="REG_SZ", "2017-11-24 08:05:22 AM" "Install_ServiceProvider"="REG_SZ", "" "Installation_IP"="REG_SZ", "" "IP"="REG_SZ", "" "IsMastered"="REG_SZ", "" "KC_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KF_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KL_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KM_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KT_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KU_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KU_URL"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "Last_IP"="REG_SZ", "" "Last_Seen"="REG_SZ", "2017-11-24 08:05:22 AM" "LeftBrnAd"="REG_SZ", "" "LocalDateTime"="REG_SZ", "" "Logo"="REG_SZ", "" "MAC"="REG_SZ", "" "Manufacturer"="REG_SZ", "" "Message"="REG_SZ", "" "Model"="REG_SZ", "VirtualBox" "Name_OS"="REG_SZ", "Microsoft Windows 7 Ultimate " "PopUp_Act"="REG_SZ", "True" "PopUp_Color"="REG_SZ", "" "Price"="REG_SZ", "$25 USD" "Processor"="REG_SZ", "Intel(R) Core(TM) i7-4720HQ CPU @ 2.60GHz" "RAM"="REG_SZ", "2GB" "Restarter"="REG_SZ", "" "RigthBrnAd"="REG_SZ", "" "ScreenShot"="REG_SZ", "" "SoftwareVersion"="REG_SZ", "3.3" "SysUsername"="REG_SZ", "{username}" "TaskKill"="REG_SZ", "" "TimeZone"="REG_SZ", "" "TollFreeNo"="REG_SZ", "" "TopBrnAd"="REG_SZ", "" "UID_Os"="REG_SZ", "" "Username"="REG_SZ", "khurpechi@gmail.com" "WasOffline"="REG_SZ", "False" "WindowsBrnAd"="REG_SZ", "" [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "DisabledHotkeys"="REG_SZ", "ER" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION] "Troubleshoot.exe"="REG_DWORD", 11000 Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/24/17 Scan Time: 3:33 PM Log File: 68e06c0d-d124-11e7-917c-080027750297.json Administrator: Yes -Software Information- Version: 3.2.2.2018 Components Version: 1.0.212 Update Package Version: 1.0.3339 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 335122 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 4 min, 32 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 1 Rogue.TechSupportScam, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\csrvc, Quarantined, [387], [461936],1.0.3339 Registry Value: 0 (No malicious items detected) Registry Data: 1 Hijack.Shell.Gen.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|SHELL, Replaced, [15805], [291910],1.0.3339 Data Stream: 0 (No malicious items detected) Folder: 1 Rogue.TechSupportScam, C:\USERS\{username}\APPDATA\LOCAL\TEMP\CSRVC, Quarantined, [387], [461936],1.0.3339 File: 8 Rogue.TechSupportScam, C:\Users\{username}\AppData\Local\Temp\csrvc\BSOD.exe, Quarantined, [387], [461936],1.0.3339 Rogue.TechSupportScam, C:\Users\{username}\AppData\Local\Temp\csrvc\csrvc.exe, Quarantined, [387], [461936],1.0.3339 Rogue.TechSupportScam, C:\Users\{username}\AppData\Local\Temp\csrvc\csrvc.InstallLog, Quarantined, [387], [461936],1.0.3339 Rogue.TechSupportScam, C:\Users\{username}\AppData\Local\Temp\csrvc\csrvc.InstallState, Quarantined, [387], [461936],1.0.3339 Rogue.TechSupportScam, C:\Users\{username}\AppData\Local\Temp\csrvc\Proubleshoot.exe, Quarantined, [387], [461936],1.0.3339 Rogue.TechSupportScam, C:\Users\{username}\AppData\Local\Temp\csrvc\scshtrv.exe, Quarantined, [387], [461936],1.0.3339 Rogue.TechSupportScam, C:\$RECYCLE.BIN\S-1-5-21-.-.-.-1003\$ROV0SDP.EXE, Quarantined, [387], [461980],1.0.3339 Rogue.TechSupportScam, C:\USERS\{username}\DESKTOP\TROUBLESHOOTER.EXE, Quarantined, [387], [461984],1.0.3339 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  13. What is SmartCloudInput? The Malwarebytes research team has determined that SmartCloudInput is adware. These adware applications display advertisements not originating from the sites you are browsing. How do I know if my computer is affected by SmartCloudInput? You may see this entry in your list of installed programs and features: How did SmartCloudInput get on my computer? Adware applications use different methods for distributing themselves. This particular one was offered as a cloud manager. How do I remove SmartCloudInput? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of SmartCloudInput? No, Malwarebytes removes SmartCloudInput completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this adware. As you can see below the full version of Malwarebytes would have protected you against the SmartCloudInput adware. It would have warned you before the adware could install itself, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: () C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCService.exe () C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCCloud.exe HKLM-x32\...\RunOnce: [SCMutualRunOne] => C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCMutual.exe [1971744 2017-11-23] () ShellIconOverlayIdentifiers: [menuext] -> {c0d5287c-e671-43c4-98b1-3a25addf79fa} => C:\Windows\system32\SCMenu64.dll [2017-11-23] () R2 SCWordSvc; C:\Program Files (x86)\SCWordSvc\SCWordSvc.dll [1381920 2017-11-23] () R2 znshuruV1; C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCService.exe [1992224 2017-11-23] () C:\Users\{username}\AppData\LocalLow\MiNiNews C:\Users\{username}\AppData\LocalLow\BubblesPop C:\Users\{username}\AppData\LocalLow\SmartCloudIME.users C:\ProgramData\Microsoft\Windows\Start Menu\Programs\智能云输入法 C:\Program Files (x86)\SCWordSvc C:\Windows\system32\znySrf.ime C:\Windows\SysWOW64\znySrf.ime C:\Windows\system32\SCMenu64.dll C:\Users\{username}\AppData\LocalLow\SmartCloudIME C:\Program Files (x86)\SmartCloudInput 智能云输入法 1.1 (HKLM-x32\...\智能云输入法) (Version: 1.1.4.09151 - 智能云输入法) () C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCPlugin.dll () C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\DuiLib32.dll () c:\program files (x86)\scwordsvc\scwordsvc.dll Most significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\Common Files\SmartCloudInput Adds the file SmartCloud.ini"="11/23/2017 12:21 PM, 79 bytes, A Adds the folder C:\Program Files (x86)\SCWordSvc Adds the file info.dat"="11/23/2017 12:22 PM, 36 bytes, A Adds the file SCWordSvc.dll"="11/23/2017 12:21 PM, 1381920 bytes, A Adds the file SCWordSvcHost.exe"="11/23/2017 12:21 PM, 1435168 bytes, A Adds the file SvcConfig.ini"="11/23/2017 12:22 PM, 87 bytes, A Adds the folder C:\Program Files (x86)\SmartCloudInput Adds the file __.txt"="11/23/2017 12:21 PM, 183 bytes, A Adds the folder C:\Program Files (x86)\SmartCloudInput\1.1.0.0511 Adds the file Config.ini"="11/23/2017 12:23 PM, 3621 bytes, A Adds the file DuiLib32.dll"="11/23/2017 12:21 PM, 652832 bytes, A Adds the file SCCloud.exe"="11/23/2017 12:21 PM, 1664544 bytes, A Adds the file SCConfig.exe"="11/23/2017 12:21 PM, 2106912 bytes, A Adds the file SCDictInst.exe"="11/23/2017 12:21 PM, 284192 bytes, A Adds the file SCImeBroker.exe"="11/23/2017 12:21 PM, 136736 bytes, A Adds the file SCImeBrokerPS.dll"="11/23/2017 12:21 PM, 75808 bytes, A Adds the file SCImeManager.exe"="11/23/2017 12:21 PM, 2040352 bytes, A Adds the file SCMBManager.exe"="11/23/2017 12:21 PM, 2770464 bytes, A Adds the file SCMiNi.exe"="11/23/2017 12:21 PM, 1644064 bytes, A Adds the file SCMoniter.exe"="11/23/2017 12:21 PM, 1570336 bytes, A Adds the file SCMutual.exe"="11/23/2017 12:21 PM, 1971744 bytes, A Adds the file SCPlan.dll"="11/23/2017 12:21 PM, 116768 bytes, A Adds the file SCPlugin.dll"="11/23/2017 12:21 PM, 5092896 bytes, A Adds the file SCPower32.exe"="11/23/2017 12:21 PM, 194080 bytes, A Adds the file SCPower64.exe"="11/23/2017 12:21 PM, 277536 bytes, A Adds the file ScrSnap.exe"="11/23/2017 12:21 PM, 715672 bytes, A Adds the file SCService.exe"="11/23/2017 12:21 PM, 1992224 bytes, A Adds the file SCSkinInst.exe"="11/23/2017 12:21 PM, 1537568 bytes, A Adds the file SCTool.exe"="11/23/2017 12:21 PM, 1992224 bytes, A Adds the file SCUninst.exe"="11/23/2017 12:21 PM, 1996320 bytes, A Adds the file SCUpd.exe"="11/23/2017 12:21 PM, 1480224 bytes, A Adds the file SCUserPage.exe"="11/23/2017 12:21 PM, 1881632 bytes, A Adds the file SCWizard.exe"="11/23/2017 12:21 PM, 1844768 bytes, A Adds the file SCWordSvc.dll"="11/23/2017 12:21 PM, 1381920 bytes, A Adds the file SCWordSvcHost.exe"="11/23/2017 12:21 PM, 1435168 bytes, A Adds the file SmartCloudInfo.ini"="11/23/2017 12:23 PM, 255 bytes, A Adds the file znySrf32.ime"="11/23/2017 12:21 PM, 2315808 bytes, A Adds the file znySrf64.ime"="11/23/2017 12:21 PM, 3591200 bytes, A Adds the file znyTSF32.ime"="11/23/2017 12:21 PM, 2837536 bytes, A Adds the file znyTSF64.ime"="11/23/2017 12:21 PM, 3187232 bytes, A Adds the folder C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\BackMB Adds the file Header.dat"="11/23/2017 12:21 PM, 2776 bytes, A Adds the file py.dict.dat"="11/23/2017 12:21 PM, 9378779 bytes, A Adds the file py.markov.dat"="11/23/2017 12:21 PM, 13461328 bytes, A Adds the file py.phrase.dat"="11/23/2017 12:21 PM, 8430284 bytes, A Adds the file PYPhrases.dat"="11/23/2017 12:21 PM, 6318 bytes, A Adds the file yy.dat"="11/23/2017 12:21 PM, 910898 bytes, A Adds the file yy.idx"="11/23/2017 12:21 PM, 2773247 bytes, A Adds the folder C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\Dict Adds the file Header.dat"="11/23/2017 12:21 PM, 2776 bytes, A Adds the file py.dict.dat"="11/23/2017 12:21 PM, 9378779 bytes, A Adds the file py.markov.dat"="11/23/2017 12:21 PM, 13461328 bytes, A Adds the file py.phrase.dat"="11/23/2017 12:21 PM, 8430284 bytes, A Adds the file PYPhrases.dat"="11/23/2017 12:21 PM, 6318 bytes, A Adds the file yy.dat"="11/23/2017 12:21 PM, 910898 bytes, A Adds the file yy.idx"="11/23/2017 12:21 PM, 2773247 bytes, A Adds the folder C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\Skin Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\智能云输入法 Adds the folder C:\Users\{username}\AppData\LocalLow\BubblesPop Adds the file CheckToTips.ini"="11/23/2017 12:23 PM, 43 bytes, A Adds the folder C:\Users\{username}\AppData\LocalLow\MiNiNews Adds the file Config.ini"="11/23/2017 12:23 PM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\LocalLow\SmartCloudIME Adds the folder C:\Users\{username}\AppData\LocalLow\SmartCloudIME\Back Adds the folder C:\Users\{username}\AppData\LocalLow\SmartCloudIME\Config Adds the folder C:\Users\{username}\AppData\LocalLow\SmartCloudIME\Skin Adds the folder C:\Users\{username}\AppData\LocalLow\SmartCloudIME\UseData Adds the folder C:\Users\{username}\AppData\LocalLow\SmartCloudIME.users\BackMB Adds the folder C:\Users\{username}\AppData\LocalLow\SmartCloudIME.users\Dict Adds the folder C:\Users\{username}\AppData\LocalLow\SmartCloudIME.users\MB Adds the file UserData.db"="11/23/2017 12:23 PM, 2392064 bytes, A Adds the file UserFreqData.db"="11/23/2017 12:23 PM, 1605632 bytes, A In the existing folder C:\Windows\System32 Adds the file SCMenu64.dll"="11/23/2017 12:21 PM, 187424 bytes, A Adds the file znySrf.ime"="11/23/2017 12:21 PM, 3591200 bytes, A In the existing folder C:\Windows\SysWOW64 Adds the file znySrf.ime"="11/23/2017 12:21 PM, 2315808 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.zncel] "(Default)"="REG_SZ", "SmartCloudPYImeDictFile" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.znpf] "(Default)"="REG_SZ", "SmartCloudPYImeSkinFile" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c0d5287c-e671-43c4-98b1-3a25addf79fa}] "(Default)"="REG_SZ", "menuext" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c0d5287c-e671-43c4-98b1-3a25addf79fa}\InProcServer32] "(Default)"="REG_SZ", "C:\Windows\system32\SCMenu64.dll" "ThreadingModel"="REG_SZ", "Apartment" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\menuext] "(Default)"="REG_SZ", "{c0d5287c-e671-43c4-98b1-3a25addf79fa}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SmartCloudPYImeDictFile] "(Default)"="REG_SZ", "SmartCloudPYImeDictFile" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SmartCloudPYImeDictFile\DefaultIcon] "(Default)"="REG_SZ", "C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCDictInst.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SmartCloudPYImeDictFile\shell\open\command] "(Default)"="REG_SZ", ""C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCDictInst.exe" -install %1" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SmartCloudPYImeSkinFile] "(Default)"="REG_SZ", "SmartCloudPYImeSkinFile" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SmartCloudPYImeSkinFile\DefaultIcon] "(Default)"="REG_SZ", "C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCSkinInst.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SmartCloudPYImeSkinFile\shell\open\command] "(Default)"="REG_SZ", ""C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCSkinInst.exe" -install %1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\menuext] "(Default)"="REG_SZ", "{c0d5287c-e671-43c4-98b1-3a25addf79fa}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{c0d5287c-e671-43c4-98b1-3a25addf79fa}"="REG_SZ", "menuext" [HKEY_LOCAL_MACHINE\SOFTWARE\SCWordSvc] "hostExe"="REG_SZ", "C:\Program Files (x86)\SCWordSvc\SCWordSvcHost.exe" "svcName"="REG_SZ", "SCWordSvc" "svcPath"="REG_SZ", "C:\Program Files (x86)\SCWordSvc\" [HKEY_LOCAL_MACHINE\SOFTWARE\SmartCloud] "ServiceDescription"="REG_SZ", "znshuru" "ServiceDisplayName"="REG_SZ", "znshuru" "ServiceImagePath"="REG_SZ", "C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCService.exe StartService" "ServiceName"="REG_SZ", "znshuruV1" [HKEY_LOCAL_MACHINE\SOFTWARE\SmartCloudInput] "InstallPath"="REG_SZ", "C:\Program Files (x86)\SmartCloudInput\" "LastInstallTime"="REG_SZ", "1511436109" "UIdentifier"="REG_SZ", "56bcd7fac317a2cfa7180ee317fb05ba" [HKEY_LOCAL_MACHINE\SOFTWARE\SmartCloudService] "ServiceDescription"="REG_SZ", "znshuru" "ServiceDisplayName"="REG_SZ", "znshuru" "ServiceImagePath"="REG_SZ", "C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCService.exe StartService" "ServiceName"="REG_SZ", "znshuruV1" [HKEY_LOCAL_MACHINE\SOFTWARE\U0NEYXRl] "LastInstallTime"="REG_SZ", "1511436109" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] "SCMutualRunOne"="REG_SZ", "C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCMutual.exe RestartRunOneProgram" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\智能云输入法] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCConfig.exe" "DisplayName"="REG_SZ", "智能云输入法 1.1" "DisplayVersion"="REG_SZ", "1.1.4.09151" "Publisher"="REG_SZ", "智能云输入法" "UninstallString"="REG_SZ", "C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCUninst.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost] "LocalWorkSvc"="REG_MULTI_SZ, "SCWordSvc" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SmartCloudInput] "InstallPath"="REG_SZ", "C:\Program Files (x86)\SmartCloudInput\" "ServiceName"="REG_SZ", "znshuruV1" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\E0200804] "Ime File"="REG_SZ", "ZNYSRF.IME" "Layout File"="REG_SZ", "kbdus.dll" "Layout Text"="REG_SZ", "中文(简体) - 智能云输入法" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SCWordSvc] "Description"="REG_SZ", "智能云词库缓存" "DisplayName"="REG_SZ", "SCWordSvc" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, "C:\Windows\SysWOW64\svchost.exe -k LocalWorkSvc" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 32 "WOW64"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SCWordSvc\Parameters] "ServiceDll"="REG_EXPAND_SZ, "C:\Program Files (x86)\SCWordSvc\SCWordSvc.dll" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\znshuruV1] "Description"="REG_SZ", "znshuru" "DisplayName"="REG_SZ", "znshuru" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, "C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCService.exe StartService" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 272 "WOW64"="REG_DWORD", 1 Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/23/17 Scan Time: 12:34 PM Log File: 36709807-d042-11e7-9a3e-080027750297.json Administrator: Yes -Software Information- Version: 3.2.2.2018 Components Version: 1.0.212 Update Package Version: 1.0.3330 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 334790 Threats Detected: 78 Threats Quarantined: 78 Time Elapsed: 3 min, 29 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 2 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCCloud.exe, Quarantined, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCService.exe, Quarantined, [16483], [461380],1.0.3330 Module: 6 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\DuiLib32.dll, Quarantined, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCCloud.exe, Quarantined, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCPlugin.dll, Quarantined, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCService.exe, Quarantined, [16483], [461380],1.0.3330 PUP.Optional.Softcnapp, C:\Program Files (x86)\SCWordSvc\SCWordSvc.dll, Quarantined, [2732], [460663],1.0.3330 PUP.Optional.Softcnapp, C:\WINDOWS\SYSTEM32\SCMENU64.DLL, Quarantined, [2732], [355934],1.0.3330 Registry Key: 5 PUP.Optional.SmartCloudInput, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\znshuruV1, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\智能云输入法, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.Softcnapp, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SCWordSvc, Delete-on-Reboot, [2732], [461388],1.0.3330 PUP.Optional.Softcnapp, HKLM\SOFTWARE\CLASSES\CLSID\{c0d5287c-e671-43c4-98b1-3a25addf79fa}, Delete-on-Reboot, [2732], [355934],1.0.3330 PUP.Optional.Softcnapp, HKLM\SOFTWARE\CLASSES\CLSID\{c0d5287c-e671-43c4-98b1-3a25addf79fa}\InprocServer32, Delete-on-Reboot, [2732], [355934],1.0.3330 Registry Value: 2 PUP.Optional.SmartCloudInput, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE|SCMutualRunOne, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.Softcnapp, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\SHELL EXTENSIONS\APPROVED|{C0D5287C-E671-43C4-98B1-3A25ADDF79FA}, Delete-on-Reboot, [2732], [355934],1.0.3330 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 6 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\BackMB, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\Dict, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\Skin, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\PROGRAM FILES (X86)\SMARTCLOUDINPUT, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.Softcnapp, C:\PROGRAM FILES (X86)\SCWORDSVC, Delete-on-Reboot, [2732], [460663],1.0.3330 File: 57 PUP.Optional.SmartCloudInput, C:\PROGRAM FILES (X86)\SMARTCLOUDINPUT\__.TXT, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\BackMB\Header.dat, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\BackMB\py.dict.dat, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\BackMB\py.markov.dat, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\BackMB\py.phrase.dat, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\BackMB\PYPhrases.dat, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\BackMB\yy.dat, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\BackMB\yy.idx, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\Dict\Header.dat, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\Dict\py.dict.dat, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\Dict\py.markov.dat, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\Dict\py.phrase.dat, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\Dict\PYPhrases.dat, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\Dict\yy.dat, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\Dict\yy.idx, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\Skin\___.znpf, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\Skin\____.znpf, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\Skin\_____.znpf, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\Config.ini, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\DuiLib32.dll, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCCloud.exe, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCConfig.exe, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCDictInst.exe, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCImeBroker.exe, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCImeBrokerPS.dll, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCImeManager.exe, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCMBManager.exe, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCMiNi.exe, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCMoniter.exe, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCMutual.exe, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCPlan.dll, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCPlugin.dll, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCPower32.exe, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCPower64.exe, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\ScrSnap.exe, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCService.exe, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCSkinInst.exe, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCTool.exe, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCUninst.exe, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCUpd.exe, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCUserPage.exe, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCWizard.exe, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCWordSvc.dll, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SCWordSvcHost.exe, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\SmartCloudInfo.ini, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\znySrf32.ime, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\znySrf64.ime, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\znyTSF32.ime, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.SmartCloudInput, C:\Program Files (x86)\SmartCloudInput\1.1.0.0511\znyTSF64.ime, Delete-on-Reboot, [16483], [461380],1.0.3330 PUP.Optional.Softcnapp, C:\PROGRAM FILES (X86)\SCWORDSVC\SVCCONFIG.INI, Delete-on-Reboot, [2732], [460663],1.0.3330 PUP.Optional.Softcnapp, C:\Program Files (x86)\SCWordSvc\info.dat, Delete-on-Reboot, [2732], [460663],1.0.3330 PUP.Optional.Softcnapp, C:\Program Files (x86)\SCWordSvc\SCWordSvc.dll, Delete-on-Reboot, [2732], [460663],1.0.3330 PUP.Optional.Softcnapp, C:\Program Files (x86)\SCWordSvc\SCWordSvcHost.exe, Delete-on-Reboot, [2732], [460663],1.0.3330 PUP.Optional.Softcnapp, C:\WINDOWS\SYSTEM32\SCMENU64.DLL, Delete-on-Reboot, [2732], [355934],1.0.3330 PUP.Optional.Softcnapp, C:\USERS\{username}\DESKTOP\ZNY_ZNYKB004.EXE, Delete-on-Reboot, [2732], [355934],1.0.3330 PUP.Optional.Softcnapp, C:\WINDOWS\SYSWOW64\ZNYSRF.IME, Delete-on-Reboot, [2732], [355934],1.0.3330 PUP.Optional.Softcnapp, C:\WINDOWS\SYSTEM32\ZNYSRF.IME, Delete-on-Reboot, [2732], [355934],1.0.3330 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  14. What is MP3 search engine? The Malwarebytes research team has determined that MP3 search engine is a search and newtab hijacker. How do I know if my computer is affected by MP3 search engine? You may see this entry in your list of installed Chrome extensions: and these warnings during install: and this new tab: How did MP3 search engine get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was pushed by making visitors believe they needed a new font. How do I remove MP3 search engine? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of MP3 search engine? No, Malwarebytes removes MP3 search engine completely. You may have to remove the Chrome Extension manually under Tools > More Tools > Extensions. Click on the bin behind the MP3 search engine entry and confirm Remove in the prompt. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. We protect our customers from these extensions by blocking the sites that spread them: Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://bettersearch.co/search/?type=web&extension=test&query={searchTerms} CHR DefaultSearchKeyword: Default -> BetterSearch CHR Extension: (BetterSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\idlgphgdjbahlegolggadaflfclhplfa [2017-11-22] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\idlgphgdjbahlegolggadaflfclhplfa\1.0.0_0 Adds the file background.js"="8/5/2017 5:06 PM, 74 bytes, A Adds the file forms.js"="5/21/2017 6:06 PM, 800 bytes, A Adds the file google_logo.png"="5/21/2017 9:04 AM, 12054 bytes, A Adds the file icon_128.png"="11/22/2017 8:24 AM, 2966 bytes, A Adds the file icon_19.png"="11/22/2017 8:24 AM, 151 bytes, A Adds the file manifest.json"="11/22/2017 8:24 AM, 1573 bytes, A Adds the file myscript.js"="8/5/2017 8:52 PM, 170 bytes, A Adds the file newtab.html"="8/5/2017 8:52 PM, 2217 bytes, A Adds the file style.css"="5/21/2017 6:09 PM, 1383 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\idlgphgdjbahlegolggadaflfclhplfa\1.0.0_0\_metadata Adds the file computed_hashes.json"="11/22/2017 8:24 AM, 754 bytes, A Adds the file verified_contents.json"="8/8/2017 5:46 AM, 2173 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "idlgphgdjbahlegolggadaflfclhplfa"="REG_SZ", "426AA34F31651EC6B3F0D5CB42FD3B608A9E4222A1D8577679257FA7AEC01374" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/22/17 Scan Time: 11:14 AM Log File: eccb69bc-cf6d-11e7-a770-080027750297.json Administrator: Yes -Software Information- Version: 3.2.2.2018 Components Version: 1.0.212 Update Package Version: 1.0.3320 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 334575 Threats Detected: 16 Threats Quarantined: 15 Time Elapsed: 1 min, 46 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 3 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\idlgphgdjbahlegolggadaflfclhplfa\1.0.0_0\_metadata, Quarantined, [16320], [461299],1.0.3320 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\idlgphgdjbahlegolggadaflfclhplfa\1.0.0_0, Quarantined, [16320], [461299],1.0.3320 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IDLGPHGDJBAHLEGOLGGADAFLFCLHPLFA, Quarantined, [16320], [461299],1.0.3320 File: 13 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\Secure Preferences, Removal Failed, [16320], [461299],1.0.3320 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\Preferences, Replaced, [16320], [461299],1.0.3320 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IDLGPHGDJBAHLEGOLGGADAFLFCLHPLFA\1.0.0_0\MANIFEST.JSON, Quarantined, [16320], [461299],1.0.3320 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\idlgphgdjbahlegolggadaflfclhplfa\1.0.0_0\_metadata\computed_hashes.json, Quarantined, [16320], [461299],1.0.3320 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\idlgphgdjbahlegolggadaflfclhplfa\1.0.0_0\_metadata\verified_contents.json, Quarantined, [16320], [461299],1.0.3320 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\idlgphgdjbahlegolggadaflfclhplfa\1.0.0_0\background.js, Quarantined, [16320], [461299],1.0.3320 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\idlgphgdjbahlegolggadaflfclhplfa\1.0.0_0\forms.js, Quarantined, [16320], [461299],1.0.3320 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\idlgphgdjbahlegolggadaflfclhplfa\1.0.0_0\google_logo.png, Quarantined, [16320], [461299],1.0.3320 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\idlgphgdjbahlegolggadaflfclhplfa\1.0.0_0\icon_128.png, Quarantined, [16320], [461299],1.0.3320 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\idlgphgdjbahlegolggadaflfclhplfa\1.0.0_0\icon_19.png, Quarantined, [16320], [461299],1.0.3320 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\idlgphgdjbahlegolggadaflfclhplfa\1.0.0_0\myscript.js, Quarantined, [16320], [461299],1.0.3320 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\idlgphgdjbahlegolggadaflfclhplfa\1.0.0_0\newtab.html, Quarantined, [16320], [461299],1.0.3320 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\idlgphgdjbahlegolggadaflfclhplfa\1.0.0_0\style.css, Quarantined, [16320], [461299],1.0.3320 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  15. What is BringMeSports? The Malwarebytes research team has determined that BringMeSports is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. BringMeSports is a member of the Mindspark/Ask family now known as IAC Applications. How do I know if my computer is affected by BringMeSports? You may see this browser extensions/add-ons: these warnings during install: You may see this entry in your list of installed software: and this new homepage in the affected browsers: How did BringMeSports get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website. How do I remove BringMeSports? Our program Malwarebytes can detect and remove this potentially unwanted program. You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of BringMeSports? If you are using Chrome, you may have to remove the Extension manually under Tools > More Tools > Extensions. Click on the bin behind the BringMeSports entry and confirm Remove in the prompt. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the BringMeSports hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/bringmesports/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid} FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_1cMembers_@www.bringmesports.com.xpi [2017-11-21] FF Extension: Default - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi [2017-11-21] [not signed] CHR Extension: (BringMeSports) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp [2017-11-21] C:\Users\{username}\AppData\Local\BringMeSportsTooltab BringMeSports Internet Explorer Homepage and New Tab (HKCU\...\BringMeSportsTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/21/17 Scan Time: 9:19 AM Log File: c16a7300-ce94-11e7-9d77-080027750297.json Administrator: Yes -Software Information- Version: 3.2.2.2018 Components Version: 1.0.212 Update Package Version: 1.0.3309 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 334440 Threats Detected: 59 Threats Quarantined: 58 Time Elapsed: 1 min, 52 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\BringMeSportsTooltab\TooltabExtension.dll, Quarantined, [849], [356944],1.0.3309 Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\BringMeSportsTooltab Uninstall Internet Explorer, Quarantined, [849], [356944],1.0.3309 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\BringMeSports, Quarantined, [849], [444113],1.0.3309 Registry Value: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\BringMeSports|START PAGE, Quarantined, [849], [444113],1.0.3309 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\BringMeSportsTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, [260], [352442],1.0.3309 Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [260], [293497],1.0.3309 Data Stream: 0 (No malicious items detected) Folder: 10 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\BringMeSportsTooltab, Delete-on-Reboot, [849], [356944],1.0.3309 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\_1cMembers_@www.bringmesports.com, Quarantined, [849], [457934],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pllnaahmnjfaaoolilcdeephjddobcfp, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\_metadata, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\config, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\icons, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\libs, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\js, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PLLNAAHMNJFAAOOLILCDEEPHJDDOBCFP\13.321.12.17428_0, Quarantined, [849], [456842],1.0.3309 File: 43 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\BringMeSportsTooltab\TooltabExtension.dll, Delete-on-Reboot, [849], [356944],1.0.3309 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\_1cMembers_@www.bringmesports.com.xpi, Quarantined, [849], [457930],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_1cMembers_@www.bringmesports.com\storage.js, Quarantined, [849], [457934],1.0.3309 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\Secure Preferences, Removal Failed, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\Preferences, Replaced, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pllnaahmnjfaaoolilcdeephjddobcfp\000003.log, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pllnaahmnjfaaoolilcdeephjddobcfp\CURRENT, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pllnaahmnjfaaoolilcdeephjddobcfp\LOCK, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pllnaahmnjfaaoolilcdeephjddobcfp\LOG, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pllnaahmnjfaaoolilcdeephjddobcfp\MANIFEST-000001, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PLLNAAHMNJFAAOOLILCDEEPHJDDOBCFP\13.321.12.17428_0\CONFIG\CONFIG.JSON, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\icons\icon128.png, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\icons\icon16.png, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\icons\icon19disabled.png, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\icons\icon19on.png, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\icons\icon48.png, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\js\ajax.js, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\js\background.js, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\js\chrome.js, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\js\content_script.js, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\js\dlp.js, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\js\dlpHelper.js, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\js\extension_detect.js, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\js\index.js, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\js\logger.js, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\js\pageUtils.js, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\js\product.js, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\js\storage.js, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\js\TabManager.js, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\js\TemplateParser.js, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\js\ul.js, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\js\urlFragmentActions.js, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\js\urlUtils.js, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\js\util.js, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\js\webtooltabAPI.js, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\libs\PartnerId.js, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\_metadata\computed_hashes.json, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\_metadata\verified_contents.json, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\dynamicNewTab.html, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\manifest.json, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\product.html, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pllnaahmnjfaaoolilcdeephjddobcfp\13.321.12.17428_0\stubby.html, Quarantined, [849], [456842],1.0.3309 PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\BRINGMESPORTS.EXE, Quarantined, [260], [365288],1.0.3309 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.