Jump to content

Metallica

Staff
  • Content Count

    2,456
  • Joined

  • Last visited

Everything posted by Metallica

  1. What is Quick PC Tuneup?The Malwarebytes research team has determined that Quick PC Tuneup is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with Quick PC Tuneup?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see this warning during install:and these screens during "operations":You may see this entry in your list of installed programs:and these tasks in your list of Scheduled Tasks:How did Quick PC Tuneup get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove Quick PC Tuneup?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Quick PC Tuneup? No, Malwarebytes removes Quick PC Tuneup completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the Quick PC Tuneup installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for expertsYou may see these entries in FRST logs: (Econosoft Global Services PTE. LTD. -> Econosoft Global Services Pte. Ltd.) C:\Program Files (x86)\Quick PC Tuneup\quickpctuneup.exe (Econosoft Global Services Pte. Ltd.) [File not signed] C:\Program Files (x86)\Quick PC Tuneup\quickpctuneup_protection.exe Task: {AFE76C5B-4FA4-4137-B90E-7822EFDCA653} - System32\Tasks\Quick PC Tuneup Protection Startup => C:\Program Files (x86)\Quick PC Tuneup\quickpctuneup_protection.exe [346112 2019-09-13] (Econosoft Global Services Pte. Ltd.) [File not signed] Task: {F28089C0-D0C6-44BE-BFAE-F57EEC06950C} - System32\Tasks\Quick PC Tuneup => C:\Program Files (x86)\Quick PC Tuneup\quickpctuneup.exe [7004976 2019-09-13] (Econosoft Global Services PTE. LTD. -> Econosoft Global Services Pte. Ltd.) C:\Windows\system32\Tasks\Quick PC Tuneup Protection Startup C:\Windows\system32\Tasks\Quick PC Tuneup C:\Users\Public\Desktop\Quick PC Tuneup.lnk C:\ProgramData\Desktop\Quick PC Tuneup.lnk C:\Users\{username}\AppData\Roaming\Quick PC Tuneup C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Quick PC Tuneup C:\Program Files (x86)\Quick PC Tuneup Quick PC Tuneup (HKLM-x32\...\{BBE52FC2-032A-4981-8F4A-10FF6850CC47}}_is1) (Version: v1.0.0 - Econosoft Global Services Pte. Ltd.) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\Quick PC Tuneup Adds the file Core.dll"="8/5/2019 7:50 AM, 237568 bytes, A Adds the file DiscUtils.Common.dll"="8/5/2019 7:50 AM, 23040 bytes, A Adds the file DiscUtils.dll"="8/5/2019 7:50 AM, 915456 bytes, A Adds the file DiscUtils.MSBuild.dll"="8/5/2019 7:50 AM, 8192 bytes, A Adds the file DynamicDataDisplay.dll"="8/5/2019 7:50 AM, 316416 bytes, A Adds the file errordetailsOpt.xml"="10/18/2019 10:57 AM, 572160 bytes, A Adds the file errorlog.txt"="8/5/2019 7:50 AM, 189 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="8/5/2019 7:50 AM, 49152 bytes, A Adds the file Interop.NATUPNPLib.dll"="8/5/2019 7:50 AM, 7680 bytes, A Adds the file Interop.NETCONLib.dll"="8/5/2019 7:50 AM, 10240 bytes, A Adds the file Interop.NetFwTypeLib.dll"="8/5/2019 7:50 AM, 19456 bytes, A Adds the file ISID.dll"="8/5/2019 7:50 AM, 1605120 bytes, A Adds the file logo.ico"="8/28/2019 5:30 PM, 21662 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="8/5/2019 7:50 AM, 171008 bytes, A Adds the file quickpctuneup.exe"="9/13/2019 9:26 AM, 7004976 bytes, A Adds the file quickpctuneup_protection.exe"="9/13/2019 5:12 AM, 346112 bytes, A Adds the file SharpCompress.dll"="8/5/2019 7:50 AM, 418304 bytes, A Adds the file System.Data.SQLite.dll"="8/5/2019 7:50 AM, 280576 bytes, A Adds the file System.Windows.Controls.Layout.Toolkit.dll"="8/5/2019 7:50 AM, 95064 bytes, A Adds the file unins000.dat"="10/18/2019 10:52 AM, 53731 bytes, A Adds the file unins000.exe"="10/18/2019 10:51 AM, 2556720 bytes, A Adds the file unins000.msg"="10/18/2019 10:52 AM, 23069 bytes, A Adds the file WpfAnimatedGif.dll"="8/5/2019 7:50 AM, 28160 bytes, A Adds the file WPFToolkit.dll"="8/5/2019 7:50 AM, 467288 bytes, A Adds the folder C:\Program Files (x86)\Quick PC Tuneup\de Adds the file quickpctuneup.resources.dll"="9/13/2019 9:25 AM, 77824 bytes, A Adds the folder C:\Program Files (x86)\Quick PC Tuneup\en Adds the file quickpctuneup.resources.dll"="9/13/2019 9:25 AM, 71168 bytes, A Adds the folder C:\Program Files (x86)\Quick PC Tuneup\fr Adds the file quickpctuneup.resources.dll"="9/13/2019 9:25 AM, 76288 bytes, A Adds the folder C:\Program Files (x86)\Quick PC Tuneup\ja-jp Adds the file quickpctuneup.resources.dll"="9/13/2019 9:25 AM, 88576 bytes, A Adds the folder C:\Program Files (x86)\Quick PC Tuneup\slider Adds the folder C:\Program Files (x86)\Quick PC Tuneup\uni Adds the file System.Data.SQLite.dll"="8/5/2019 7:52 AM, 353280 bytes, A Adds the file System.Data.SQLite.xml"="8/5/2019 7:52 AM, 1051056 bytes, A Adds the file Uninstaller.exe"="9/13/2019 5:12 AM, 603648 bytes, A Adds the file Uninstaller.exe.config"="8/29/2019 8:59 PM, 1567 bytes, A Adds the file Uninstaller.pdb"="9/13/2019 5:12 AM, 448000 bytes, A Adds the folder C:\Program Files (x86)\Quick PC Tuneup\uni\de Adds the file Uninstaller.resources.dll"="9/13/2019 5:12 AM, 74752 bytes, A Adds the folder C:\Program Files (x86)\Quick PC Tuneup\uni\en Adds the file Uninstaller.resources.dll"="9/13/2019 5:12 AM, 68096 bytes, A Adds the folder C:\Program Files (x86)\Quick PC Tuneup\uni\ja-jp Adds the file Uninstaller.resources.dll"="9/13/2019 5:12 AM, 84992 bytes, A Adds the folder C:\Program Files (x86)\Quick PC Tuneup\uni\x64 Adds the file SQLite.Interop.dll"="8/5/2019 7:50 AM, 1534464 bytes, A Adds the folder C:\Program Files (x86)\Quick PC Tuneup\uni\x86 Adds the file SQLite.Interop.dll"="8/5/2019 7:50 AM, 1149440 bytes, A Adds the folder C:\Program Files (x86)\Quick PC Tuneup\x64 Adds the file SQLite.Interop.dll"="8/5/2019 7:50 AM, 1205248 bytes, A Adds the folder C:\Program Files (x86)\Quick PC Tuneup\x86 Adds the file SQLite.Interop.dll"="8/5/2019 7:50 AM, 903168 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Quick PC Tuneup Adds the file Quick PC Tuneup.lnk"="10/18/2019 10:52 AM, 1189 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Quick PC Tuneup Adds the folder C:\Users\{username}\AppData\Roaming\Quick PC Tuneup\PC Repair Online Adds the folder C:\Users\{username}\AppData\Roaming\Quick PC Tuneup\PC Repair Online\setting Adds the file pbp_sett.ash"="10/18/2019 10:52 AM, 0 bytes, A Adds the file QPT_sett.ash"="10/18/2019 10:57 AM, 302080 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file Quick PC Tuneup.lnk"="10/18/2019 10:52 AM, 1171 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Quick PC Tuneup"="10/18/2019 10:52 AM, 3244 bytes, A Adds the file Quick PC Tuneup Protection Startup"="10/18/2019 10:52 AM, 3264 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\FT\QPT\Activation] "Insdate"="REG_SZ", "rZirgo8sJa6whLM/mrq8zsitzmS0ydEnzU2+/YGPR88=" "language"="REG_SZ", "en" "languageindex"="REG_SZ", "0" "lap"="REG_SZ", "lzgkSmxXNaWpj17mZ6LXYNmptcAMwM4WPgNnlKziD78=" "lbp"="REG_SZ", "lzgkSmxXNaWpj17mZ6LXYNmptcAMwM4WPgNnlKziD78=" "lr"="REG_SZ", "lzgkSmxXNaWpj17mZ6LXYNmptcAMwM4WPgNnlKziD78=" "lsp"="REG_SZ", "lzgkSmxXNaWpj17mZ6LXYNmptcAMwM4WPgNnlKziD78=" "PN"="REG_SZ", "1-888-200-8889" "Program"="REG_SZ", "Quick PC Tuneup" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\FT\QPT\Activation] "IsTrack"="REG_SZ", "1" "language"="REG_SZ", "en" "languageindex"="REG_SZ", "0" "Program"="REG_SZ", "Quick PC Tuneup" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BBE52FC2-032A-4981-8F4A-10FF6850CC47}}_is1] "Comments"="REG_SZ", "Quick PC Tuneup" "Contact"="REG_SZ", "+1(888)200-8889" "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\Quick PC Tuneup\logo.ico" "DisplayName"="REG_SZ", "Quick PC Tuneup" "DisplayVersion"="REG_SZ", "v1.0.0" "EstimatedSize"="REG_DWORD", 22497 "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\Quick PC Tuneup" "Inno Setup: Icon Group"="REG_SZ", "Quick PC Tuneup" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "6.0.2 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20191018" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\Quick PC Tuneup\" "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Econosoft Global Services Pte. Ltd." "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\Quick PC Tuneup\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\Quick PC Tuneup\unins000.exe"" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/18/19 Scan Time: 11:04 AM Log File: 3bbc3ce0-f186-11e9-946a-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.12961 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 234418 Threats Detected: 84 Threats Quarantined: 84 Time Elapsed: 10 min, 28 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 2 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\quickpctuneup.exe, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\quickpctuneup_protection.exe, Quarantined, [584], [749295],1.0.12961 Module: 4 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\x64\SQLite.Interop.dll, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\x64\SQLite.Interop.dll, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\quickpctuneup.exe, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\quickpctuneup_protection.exe, Quarantined, [584], [749295],1.0.12961 Registry Key: 9 PUP.Optional.PCBoosterPro, HKLM\SOFTWARE\WOW6432NODE\FT\QPT, Quarantined, [1402], [749301],1.0.12961 PUP.Optional.PCBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Quick PC Tuneup, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{F28089C0-D0C6-44BE-BFAE-F57EEC06950C}, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{F28089C0-D0C6-44BE-BFAE-F57EEC06950C}, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Quick PC Tuneup Protection Startup, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{AFE76C5B-4FA4-4137-B90E-7822EFDCA653}, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{AFE76C5B-4FA4-4137-B90E-7822EFDCA653}, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{BBE52FC2-032A-4981-8F4A-10FF6850CC47}}_is1, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBoosterPro, HKLM\SOFTWARE\FT\QPT, Quarantined, [1402], [749301],1.0.12961 Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 18 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\uni\ja-jp, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\uni\x64, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\uni\x86, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\slider, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\uni\de, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\uni\en, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\ja-jp, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\uni, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\x64, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\x86, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\de, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\en, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\fr, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\PROGRAM FILES (X86)\QUICK PC TUNEUP, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\QUICK PC TUNEUP, Quarantined, [584], [749296],1.0.12961 PUP.Optional.PCBooster, C:\Users\{username}\AppData\Roaming\Quick PC Tuneup\PC Repair Online\setting, Quarantined, [584], [749302],1.0.12961 PUP.Optional.PCBooster, C:\Users\{username}\AppData\Roaming\Quick PC Tuneup\PC Repair Online, Quarantined, [584], [749302],1.0.12961 PUP.Optional.PCBooster, C:\USERS\{username}\APPDATA\ROAMING\QUICK PC TUNEUP, Quarantined, [584], [749302],1.0.12961 File: 50 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\de\quickpctuneup.resources.dll, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\en\quickpctuneup.resources.dll, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\fr\quickpctuneup.resources.dll, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\ja-jp\quickpctuneup.resources.dll, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\uni\de\Uninstaller.resources.dll, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\uni\en\Uninstaller.resources.dll, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\uni\ja-jp\Uninstaller.resources.dll, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\uni\x64\SQLite.Interop.dll, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\uni\x86\SQLite.Interop.dll, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\uni\System.Data.SQLite.dll, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\uni\System.Data.SQLite.xml, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\uni\Uninstaller.exe, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\uni\Uninstaller.exe.config, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\uni\Uninstaller.pdb, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\x64\SQLite.Interop.dll, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\x86\SQLite.Interop.dll, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\Core.dll, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\DiscUtils.Common.dll, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\DiscUtils.dll, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\DiscUtils.MSBuild.dll, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\DynamicDataDisplay.dll, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\errordetailsOpt.xml, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\errorlog.txt, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\Interop.IWshRuntimeLibrary.dll, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\Interop.NATUPNPLib.dll, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\Interop.NETCONLib.dll, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\Interop.NetFwTypeLib.dll, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\ISID.dll, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\logo.ico, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\Microsoft.Win32.TaskScheduler.dll, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\quickpctuneup.exe, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\quickpctuneup_protection.exe, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\SharpCompress.dll, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\System.Data.SQLite.dll, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\System.Windows.Controls.Layout.Toolkit.dll, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\unins000.dat, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\unins000.exe, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\unins000.msg, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\WpfAnimatedGif.dll, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\Program Files (x86)\Quick PC Tuneup\WPFToolkit.dll, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\WINDOWS\SYSTEM32\TASKS\Quick PC Tuneup, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\Quick PC Tuneup.lnk, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\USERS\PUBLIC\Desktop\Quick PC Tuneup.lnk, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\WINDOWS\SYSTEM32\TASKS\Quick PC Tuneup Protection Startup, Quarantined, [584], [749295],1.0.12961 PUP.Optional.PCBooster, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Quick PC Tuneup\Quick PC Tuneup.lnk, Quarantined, [584], [749296],1.0.12961 PUP.Optional.PCBooster, C:\Users\{username}\AppData\Roaming\Quick PC Tuneup\PC Repair Online\setting\pbp_sett.ash, Quarantined, [584], [749302],1.0.12961 PUP.Optional.PCBooster, C:\Users\{username}\AppData\Roaming\Quick PC Tuneup\PC Repair Online\setting\QPT_sett.ash, Quarantined, [584], [749302],1.0.12961 PUP.Optional.PCBooster, C:\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\LOCALCOPY\{57D9D2C9-54A0-4AF0-8D30-1DE5AC803F1C}-QUICKPCTUNEUP.EXE, Quarantined, [584], [711523],1.0.12961 PUP.Optional.PCBooster, C:\USERS\{username}\APPDATA\LOCAL\TEMP\IS-0DDSB.TMP\QUICKPCTUNEUP.TMP, Quarantined, [584], [711523],1.0.12961 PUP.Optional.PCBooster, C:\USERS\{username}\DOWNLOADS\QUICKPCTUNEUP.EXE, Quarantined, [584], [711523],1.0.12961 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  2. What is Complete System Care?The Malwarebytes research team has determined that Complete System Care is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with Complete System Care?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see this warning during install:and this type of screens during "operations":You may see this entry in your list of installed programs:and these tasks in your list of Scheduled Tasks:How did Complete System Care get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove Complete System Care?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Complete System Care? No, Malwarebytes removes Complete System Care completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the Complete System Care installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: (QUANTUM TECHNOLOGIES -> ) C:\Program Files\Complete System Care for {computername}\cpcpro.exe Task: {4D2F53C8-92F8-4DAB-A06B-EC6AD9A2DE57} - System32\Tasks\Complete System Care_Logon => C:\Program Files\Complete System Care for {computername}\cpcpro.exe [4798536 2019-10-11] (QUANTUM TECHNOLOGIES -> ) C:\Users\{username}\AppData\Roaming\Complete System Care For {computername} C:\Windows\system32\Tasks\Complete System Care_Logon C:\Users\Public\Desktop\Complete System Care.lnk C:\ProgramData\Desktop\Complete System Care.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Complete System Care C:\ProgramData\Complete System Care For {computername} C:\Program Files\Complete System Care for {computername} (Complete System Care) C:\Users\{username}\Desktop\cscsetup.exe Complete System Care (HKLM-x32\...\Complete System Care For {computername}) (Version: 1.0.0.0 - Complete System Care) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\Complete System Care for {computername} Adds the file application.ico"="9/30/2019 10:56 AM, 161862 bytes, A Adds the file cpcpro.exe"="10/11/2019 1:50 PM, 4798536 bytes, A Adds the file cpcpro.exe.config"="10/11/2019 1:50 PM, 4290 bytes, A Adds the file extres.dll"="10/11/2019 1:50 PM, 439368 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="10/11/2019 1:50 PM, 63560 bytes, A Adds the file Interop.WUApiLib.dll"="10/11/2019 1:50 PM, 100424 bytes, A Adds the file langs.db"="10/10/2019 12:33 PM, 642048 bytes, A Adds the file Microsoft.TeamFoundation.Common.dll"="10/11/2019 1:50 PM, 644680 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="10/11/2019 1:50 PM, 185416 bytes, A Adds the file NAudio.dll"="10/11/2019 1:50 PM, 485448 bytes, A Adds the file Newtonsoft.Json.dll"="10/11/2019 1:50 PM, 475208 bytes, A Adds the file System.Data.SQLite.dll"="10/11/2019 1:50 PM, 305224 bytes, A Adds the file TAFactory.IconPack.dll"="10/11/2019 1:50 PM, 51272 bytes, A Adds the file Uninstall.exe"="10/11/2019 1:51 PM, 226808 bytes, A Adds the folder C:\Program Files\Complete System Care for {computername}\x64 Adds the file SQLite.Interop.dll"="10/11/2019 1:50 PM, 1189960 bytes, A Adds the folder C:\Program Files\Complete System Care for {computername}\x86 Adds the file SQLite.Interop.dll"="10/11/2019 1:50 PM, 868936 bytes, A Adds the folder C:\ProgramData\Complete System Care For {computername} Adds the file mdb.db"="5/29/2019 12:23 PM, 6643712 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Complete System Care Adds the file Buy Complete System Care.lnk"="10/17/2019 8:56 AM, 1953 bytes, A Adds the file Complete System Care.lnk"="10/17/2019 8:56 AM, 1937 bytes, A Adds the file Uninstall Complete System Care.lnk"="10/17/2019 8:56 AM, 1960 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Complete System Care For {computername} Adds the file Errorlog.txt"="10/17/2019 9:00 AM, 38304 bytes, A Adds the file exlist.bin"="10/17/2019 8:56 AM, 258019 bytes, A Adds the file notifier.xml"="10/17/2019 8:57 AM, 8516 bytes, A Adds the file res.xml"="10/17/2019 9:00 AM, 31863 bytes, A Adds the file update.xml"="10/17/2019 8:56 AM, 22106 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Complete System Care For {computername}\privlog Adds the file Bookmark_Backup.xml"="10/17/2019 9:00 AM, 944 bytes, A Adds the file Cache.xml"="10/17/2019 9:00 AM, 48317 bytes, A Adds the file Cookies.xml"="10/17/2019 9:00 AM, 4862 bytes, A Adds the file History.xml"="10/17/2019 9:00 AM, 1483 bytes, A Adds the file Session.xml"="10/17/2019 9:00 AM, 1940 bytes, A Adds the file Temp_Internet_Files_Folder.xml"="10/17/2019 9:00 AM, 17496 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Complete System Care For {computername}\smico In the existing folder C:\Users\Public\Desktop Adds the file Complete System Care.lnk"="10/17/2019 8:56 AM, 999 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Complete System Care_Logon"="10/17/2019 8:56 AM, 3088 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Complete System Care For {computername}] "affired"="REG_DWORD", 1 "afterInstallUrl"="REG_SZ", "http://ins.advance-pctool.best/install/csc/?" "afterUnInstallUrl"="REG_SZ", "http://ins.advance-pctool.best/uninstall/csc/" "country"="REG_SZ", "" "dlllist"="REG_SZ", "PSMACHINE_64.DLL,MSSPELLCHECKINGFACILITY.DLL" "emailurl"="REG_SZ", "support@syscarehelp.com" "expired"="REG_DWORD", 0 "hdata"="REG_BINARY, ................................................................. "InstallString"="REG_SZ", "C:\Program Files (x86)\Complete System Care" "ipaddrurl"="REG_SZ", "http://ins.advance-pctool.best/getip/" "isinstfont"="REG_DWORD", 1 "isiunidu"="REG_DWORD", 0 "ISTELNO"="REG_DWORD", 0 "LangCode"="REG_SZ", "en" "lstregscancount"="REG_DWORD", 33 "lstscandate"="REG_SZ", "10/17/2019 9:00:17 AM" "lstscanstat"="REG_DWORD", 2 "lstsecscancount"="REG_DWORD", 0 "lsttotalscancount"="REG_DWORD", 759 "paramurl"="REG_SZ", "http://trkr.completesystemcare.co/ipfiles/" "pdtm"="REG_SZ", "60" "PurchaseURL"="REG_SZ", "http://store.completesystemcare.co/csc/price" "reg"="REG_DWORD", 0 "RenewURL"="REG_SZ", "http://store.completesystemcare.co/csc/price" "runcam"="REG_DWORD", 1 "runpixel"="REG_DWORD", 1 "runsrc"="REG_DWORD", 1 "showpriceplan"="REG_DWORD", 3 "supporturl"="REG_SZ", "http://advance-pctool.best/help" "TELNOLIVE"="REG_SZ", "" "trialshwng"="REG_SZ", "7" "weburl"="REG_SZ", "http://advance-pctool.best/" "x-ccode"="REG_SZ", "us" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "77_234_46_253" [HKEY_LOCAL_MACHINE\SOFTWARE\csc-pr] "affiliateid"="REG_SZ", "" "pname"="REG_SZ", "Complete System Care" "pxl"="REG_SZ", "" "utm_campaign"="REG_SZ", "" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "" "utm_source"="REG_SZ", "" "x-at"="REG_SZ", "" "x-context"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Q29tcGxldGUgU3lzdGVtIENhcmU=\ACT] "data"="REG_BINARY, ........................................................................................................... [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Complete System Care For {computername}] "DisplayIcon"="REG_SZ", "C:\Program Files\Complete System Care for {computername}\application.ico" "DisplayName"="REG_SZ", "Complete System Care" "DisplayVersion"="REG_SZ", "1.0.0.0" "EstimatedSize"="REG_DWORD", 10000 "HelpLink"="REG_SZ", "http://advance-pctool.best/help" "InstallLocation"="REG_SZ", ""C:\Program Files\Complete System Care for {computername}"" "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Complete System Care" "QuietUninstallString"="REG_SZ", ""C:\Program Files\Complete System Care for {computername}\uninstall.exe" /S" "UninstallString"="REG_SZ", ""C:\Program Files\Complete System Care for {computername}\uninstall.exe"" "URLInfoAbout"="REG_SZ", "http://advance-pctool.best/help" "URLUpdateInfo"="REG_SZ", "http://advance-pctool.best/help" "VersionMajor"="REG_DWORD", 1 "VersionMinor"="REG_DWORD", 1 [HKEY_CURRENT_USER\Software\Complete System Care For {computername}] "InstallString"="REG_SZ", "C:\Program Files\Complete System Care for {computername}" "LangCode"="REG_SZ", "en" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "{user_ip" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/17/19 Scan Time: 9:14 AM Log File: b0fbb8fc-f0ad-11e9-8495-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.12941 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 234477 Threats Detected: 37 Threats Quarantined: 37 Time Elapsed: 8 min, 1 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.PCVARK, C:\PROGRAM FILES\COMPLETE SYSTEM CARE FOR {computername}\CPCPRO.EXE, Quarantined, [482], [748132],1.0.12941 Module: 1 PUP.Optional.PCVARK, C:\PROGRAM FILES\COMPLETE SYSTEM CARE FOR {computername}\CPCPRO.EXE, Quarantined, [482], [748132],1.0.12941 Registry Key: 8 PUP.Optional.PCVARK, HKLM\SOFTWARE\Complete System Care For {computername}, Quarantined, [482], [748143],1.0.12941 PUP.Optional.PCVARK, HKLM\SOFTWARE\csc-pr, Quarantined, [482], [748151],1.0.12941 PUP.Optional.PCVARK, HKLM\SOFTWARE\Q29tcGxldGUgU3lzdGVtIENhcmU=, Quarantined, [482], [748149],1.0.12941 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Complete System Care_Logon, Quarantined, [482], [748144],1.0.12941 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{4D2F53C8-92F8-4DAB-A06B-EC6AD9A2DE57}, Quarantined, [482], [748144],1.0.12941 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{4D2F53C8-92F8-4DAB-A06B-EC6AD9A2DE57}, Quarantined, [482], [748144],1.0.12941 PUP.Optional.PCVARK, HKCU\SOFTWARE\Complete System Care For {computername}, Quarantined, [482], [748138],1.0.12941 PUP.Optional.PCVARK, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Complete System Care For {computername}, Quarantined, [482], [748139],1.0.12941 Registry Value: 1 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{4D2F53C8-92F8-4DAB-A06B-EC6AD9A2DE57}|PATH, Quarantined, [482], [748146],1.0.12941 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 5 PUP.Optional.PCVARK, C:\PROGRAMDATA\Complete System Care For {computername}, Quarantined, [482], [748141],1.0.12941 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Complete System Care For {computername}\privlog, Quarantined, [482], [748140],1.0.12941 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Complete System Care For {computername}\smico, Quarantined, [482], [748140],1.0.12941 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\Complete System Care For {computername}, Quarantined, [482], [748140],1.0.12941 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\COMPLETE SYSTEM CARE, Quarantined, [482], [748148],1.0.12941 File: 21 PUP.Optional.PCVARK, C:\PROGRAMDATA\Complete System Care For {computername}\mdb.db, Quarantined, [482], [748141],1.0.12941 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\Complete System Care For {computername}\Errorlog.txt, Quarantined, [482], [748140],1.0.12941 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Complete System Care For {computername}\privlog\Bookmark_Backup.xml, Quarantined, [482], [748140],1.0.12941 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Complete System Care For {computername}\privlog\Cache.xml, Quarantined, [482], [748140],1.0.12941 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Complete System Care For {computername}\privlog\Cookies.xml, Quarantined, [482], [748140],1.0.12941 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Complete System Care For {computername}\privlog\History.xml, Quarantined, [482], [748140],1.0.12941 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Complete System Care For {computername}\privlog\Session.xml, Quarantined, [482], [748140],1.0.12941 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Complete System Care For {computername}\privlog\Temp_Internet_Files_Folder.xml, Quarantined, [482], [748140],1.0.12941 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Complete System Care For {computername}\exlist.bin, Quarantined, [482], [748140],1.0.12941 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Complete System Care For {computername}\notifier.xml, Quarantined, [482], [748140],1.0.12941 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Complete System Care For {computername}\res.xml, Quarantined, [482], [748140],1.0.12941 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Complete System Care For {computername}\update.xml, Quarantined, [482], [748140],1.0.12941 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\COMPLETE SYSTEM CARE\BUY COMPLETE SYSTEM CARE.LNK, Quarantined, [482], [748148],1.0.12941 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Complete System Care\Complete System Care.lnk, Quarantined, [482], [748148],1.0.12941 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Complete System Care\Uninstall Complete System Care.lnk, Quarantined, [482], [748148],1.0.12941 PUP.Optional.PCVARK, C:\WINDOWS\SYSTEM32\TASKS\Complete System Care_Logon, Quarantined, [482], [748144],1.0.12941 PUP.Optional.PCVARK, C:\USERS\PUBLIC\DESKTOP\COMPLETE SYSTEM CARE.LNK, Quarantined, [482], [748150],1.0.12941 PUP.Optional.PCVARK, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\Complete System Care.lnk, Quarantined, [482], [748132],1.0.12941 PUP.Optional.PCVARK, C:\PROGRAM FILES\COMPLETE SYSTEM CARE FOR {computername}\CPCPRO.EXE, Quarantined, [482], [748132],1.0.12941 PUP.Optional.PCVARK, C:\PROGRAM FILES\COMPLETE SYSTEM CARE FOR {computername}\UNINSTALL.EXE, Quarantined, [482], [748128],1.0.12941 PUP.Optional.PCVARK, C:\USERS\{username}\DESKTOP\CSCSETUP.EXE, Quarantined, [482], [748128],1.0.12941 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  3. What is Convert My Vid Search?The Malwarebytes research team has determined that Convert My Vid Search is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Convert My Vid Search?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and this changed setting:How did Convert My Vid Search get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Convert My Vid Search?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Convert My Vid Search? No, Malwarebytes removes Convert My Vid Search completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Convert My Vid Search hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.convertmyvid.com/?q={searchTerms}&publisher=convertmyvid&barcodeid=560790000000000 CHR DefaultSearchKeyword: Default -> ConvertMyVid CHR DefaultSuggestURL: Default -> hxxps://api.convertmyvid.com/suggest/get?q={searchTerms} CHR Extension: (ConvertMyVid) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcdombhipjkifdfnejpndamlhihhihpg [2019-10-16] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcdombhipjkifdfnejpndamlhihhihpg\1.0.3_0 Adds the file manifest.json"="10/16/2019 9:18 AM, 2103 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcdombhipjkifdfnejpndamlhihhihpg\1.0.3_0\_metadata Adds the file computed_hashes.json"="10/16/2019 9:18 AM, 6088 bytes, A Adds the file verified_contents.json"="10/4/2019 2:10 AM, 1921 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcdombhipjkifdfnejpndamlhihhihpg\1.0.3_0\images\icons Adds the file 128x128.png"="10/16/2019 9:18 AM, 7324 bytes, A Adds the file 16x16.png"="10/16/2019 9:18 AM, 545 bytes, A Adds the file 64x64.png"="10/16/2019 9:18 AM, 3166 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcdombhipjkifdfnejpndamlhihhihpg\1.0.3_0\scripts Adds the file background.js"="9/26/2019 5:01 PM, 511601 bytes, A Adds the file sitecontent.js"="9/26/2019 5:01 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_jcdombhipjkifdfnejpndamlhihhihpg Adds the file Convert My Vid Search.ico"="10/16/2019 9:19 AM, 185989 bytes, A Adds the file Convert My Vid Search.ico.md5"="10/16/2019 9:19 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "jcdombhipjkifdfnejpndamlhihhihpg"="REG_SZ", "5D6739DE549B294A41FDF7F4B30B174BF53255DFEF6C1A8652D4854FAFDF4D4F" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/16/19 Scan Time: 9:40 AM Log File: 2c3e400a-efe8-11e9-a8d1-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.12929 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 234236 Threats Detected: 19 Threats Quarantined: 19 Time Elapsed: 7 min, 1 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.ConvertMyVid, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|jcdombhipjkifdfnejpndamlhihhihpg, Quarantined, [247], [747496],1.0.12929 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 6 PUP.Optional.ConvertMyVid, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcdombhipjkifdfnejpndamlhihhihpg\1.0.3_0\images\icons, Quarantined, [247], [747496],1.0.12929 PUP.Optional.ConvertMyVid, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcdombhipjkifdfnejpndamlhihhihpg\1.0.3_0\_metadata, Quarantined, [247], [747496],1.0.12929 PUP.Optional.ConvertMyVid, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcdombhipjkifdfnejpndamlhihhihpg\1.0.3_0\scripts, Quarantined, [247], [747496],1.0.12929 PUP.Optional.ConvertMyVid, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcdombhipjkifdfnejpndamlhihhihpg\1.0.3_0\images, Quarantined, [247], [747496],1.0.12929 PUP.Optional.ConvertMyVid, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcdombhipjkifdfnejpndamlhihhihpg\1.0.3_0, Quarantined, [247], [747496],1.0.12929 PUP.Optional.ConvertMyVid, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JCDOMBHIPJKIFDFNEJPNDAMLHIHHIHPG, Quarantined, [247], [747496],1.0.12929 File: 12 PUP.Optional.ConvertMyVid, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [247], [747496],1.0.12929 PUP.Optional.ConvertMyVid, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [247], [747496],1.0.12929 PUP.Optional.ConvertMyVid, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JCDOMBHIPJKIFDFNEJPNDAMLHIHHIHPG\1.0.3_0\MANIFEST.JSON, Quarantined, [247], [747496],1.0.12929 PUP.Optional.ConvertMyVid, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcdombhipjkifdfnejpndamlhihhihpg\1.0.3_0\images\icons\128x128.png, Quarantined, [247], [747496],1.0.12929 PUP.Optional.ConvertMyVid, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcdombhipjkifdfnejpndamlhihhihpg\1.0.3_0\images\icons\16x16.png, Quarantined, [247], [747496],1.0.12929 PUP.Optional.ConvertMyVid, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcdombhipjkifdfnejpndamlhihhihpg\1.0.3_0\images\icons\64x64.png, Quarantined, [247], [747496],1.0.12929 PUP.Optional.ConvertMyVid, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcdombhipjkifdfnejpndamlhihhihpg\1.0.3_0\scripts\background.js, Quarantined, [247], [747496],1.0.12929 PUP.Optional.ConvertMyVid, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcdombhipjkifdfnejpndamlhihhihpg\1.0.3_0\scripts\sitecontent.js, Quarantined, [247], [747496],1.0.12929 PUP.Optional.ConvertMyVid, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcdombhipjkifdfnejpndamlhihhihpg\1.0.3_0\_metadata\computed_hashes.json, Quarantined, [247], [747496],1.0.12929 PUP.Optional.ConvertMyVid, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcdombhipjkifdfnejpndamlhihhihpg\1.0.3_0\_metadata\verified_contents.json, Quarantined, [247], [747496],1.0.12929 PUP.Optional.ConvertMyVid, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [247], [747497],1.0.12929 PUP.Optional.ConvertMyVid, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [247], [747497],1.0.12929 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  4. What is BitSecure AV?The Malwarebytes research team has determined that BitSecure AV is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with BitSecure AV?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see these warnings during install:and this screen during "operations":You may see this entry in your list of installed programs:and this task in your list of Scheduled Tasks:How did BitSecure AV get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove BitSecure AV?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of BitSecure AV? No, Malwarebytes removes BitSecure AV completely. This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the BitSecure AV installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for expertsYou may see these entries in FRST logs: (DIGITAL PROTECTION SERVICES S.R.L. -> bitsecureav.com) C:\Program Files\BitSecure AV\bsav.exe (DIGITAL PROTECTION SERVICES S.R.L. -> bitsecureav.com) C:\Program Files\BitSecure AV\bsavprotection.exe Task: {1ED375AE-CA49-4618-B647-E2A404CAA456} - System32\Tasks\BitSecure AV_Logon => C:\Program Files\BitSecure AV\bsavmntr.exe [499368 2019-09-24] (DIGITAL PROTECTION SERVICES S.R.L. -> bitsecureav.com) R2 BSAVProtection; C:\Program Files\BitSecure AV\bsavprotection.exe [1470632 2019-09-24] (DIGITAL PROTECTION SERVICES S.R.L. -> bitsecureav.com) R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [196344 2019-01-07] (Avira Operations GmbH & Co. KG -> Avira Operations GmbH & Co. KG) R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [153552 2019-01-07] (Avira Operations GmbH & Co. KG -> Avira Operations GmbH & Co. KG) R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [35328 2019-01-07] (Avira Operations GmbH & Co. KG -> Avira Operations GmbH & Co. KG) C:\Windows\system32\Tasks\BitSecure AV_Logon C:\ProgramData\bitsecureav.com C:\Users\Public\Desktop\BitSecure AV.lnk C:\ProgramData\Desktop\BitSecure AV.lnk C:\Users\{username}\AppData\Roaming\bitsecureav.com C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BitSecure AV C:\Program Files\BitSecure AV BitSecure AV (HKLM-x32\...\bitsecureav.com BitSecure AV) (Version: 1.0.0.10 - bitsecureav.com) Significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\BitSecure AV Adds the file application.ico"="5/2/2019 9:08 AM, 478058 bytes, A Adds the file avgio.dll"="1/7/2019 1:40 PM, 61872 bytes, A Adds the file bsav.exe"="9/24/2019 7:00 AM, 6750376 bytes, A Adds the file bsav.exe.config"="9/20/2019 10:19 AM, 2306 bytes, A Adds the file bsavmntr.exe"="9/24/2019 7:00 AM, 499368 bytes, A Adds the file bsavmntr.exe.config"="6/18/2019 11:44 AM, 814 bytes, A Adds the file bsavprotection.exe"="9/24/2019 7:00 AM, 1470632 bytes, A Adds the file bsavprotection.exe.config"="9/18/2019 11:17 AM, 2043 bytes, A Adds the file bsavprotection.InstallState"="10/15/2019 9:02 AM, 5012 bytes, A Adds the file HtmlRenderer.dll"="9/23/2019 9:42 AM, 237224 bytes, A Adds the file HtmlRenderer.WPF.dll"="9/23/2019 9:42 AM, 63656 bytes, A Adds the file ICSharpCode.SharpZipLib.dll"="9/23/2019 9:41 AM, 208040 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="9/23/2019 9:41 AM, 64680 bytes, A Adds the file Interop.NetFwTypeLib.dll"="9/23/2019 9:42 AM, 48296 bytes, A Adds the file Interop.SHDocVw.dll"="9/23/2019 9:42 AM, 179368 bytes, A Adds the file Interop.Shell32.dll"="9/23/2019 9:42 AM, 64680 bytes, A Adds the file langs.db"="9/24/2019 6:56 AM, 176128 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="9/23/2019 9:41 AM, 186536 bytes, A Adds the file Moq.dll"="1/7/2019 1:41 PM, 678912 bytes, A Adds the file msvcr120.dll"="1/7/2019 1:40 PM, 968880 bytes, A Adds the file Newtonsoft.Json.dll"="9/23/2019 9:41 AM, 476328 bytes, A Adds the file NLog.dll"="1/7/2019 1:41 PM, 480768 bytes, A Adds the file Savapi.NET.dll"="9/23/2019 9:42 AM, 73384 bytes, A Adds the file System.Data.SQLite.DLL"="9/23/2019 9:41 AM, 347304 bytes, A Adds the file System.Data.SQLite.Linq.dll"="9/23/2019 9:41 AM, 212136 bytes, A Adds the file System.Threading.dll"="2/11/2019 8:11 AM, 387408 bytes, A Adds the file TAFactory.IconPack.dll"="9/23/2019 9:41 AM, 52392 bytes, A Adds the file Uninstall.exe"="9/24/2019 7:00 AM, 545688 bytes, A Adds the file WPFToolkit.dll"="2/11/2019 8:11 AM, 467288 bytes, A Adds the folder C:\Program Files\BitSecure AV\AutoItInstaller Adds the file Uninstall.exe"="9/5/2019 2:02 PM, 545688 bytes, A Adds the folder C:\Program Files\BitSecure AV\savapi Adds the file aebb.dll"="10/15/2019 9:10 AM, 72056 bytes, A Adds the file aecore.dll"="10/15/2019 9:10 AM, 287264 bytes, A Adds the file aecrypto.dll"="10/15/2019 9:10 AM, 141800 bytes, A Adds the file aedroid.dll"="10/15/2019 9:10 AM, 2813632 bytes, A Adds the file aedroid_gwf.dat"="10/15/2019 9:10 AM, 4371320 bytes, A Adds the file aeemu.dll"="10/15/2019 9:10 AM, 421160 bytes, A Adds the file aeexp.dll"="10/15/2019 9:10 AM, 403624 bytes, A Adds the file aeexp_gwf.dat"="10/15/2019 9:10 AM, 60496 bytes, A Adds the file aegen.dll"="10/15/2019 9:10 AM, 720400 bytes, A Adds the file aehelp.dll"="10/15/2019 9:10 AM, 300640 bytes, A Adds the file aeheur.dll"="10/15/2019 9:10 AM, 10869376 bytes, A Adds the file aeheur_agen.dat"="10/15/2019 9:10 AM, 1546392 bytes, A Adds the file aeheur_gwf.dat"="10/15/2019 9:10 AM, 912 bytes, A Adds the file aeheur_mv.dat"="10/15/2019 9:10 AM, 3138008 bytes, A Adds the file aelibinf.dll"="10/15/2019 9:10 AM, 80376 bytes, A Adds the file aelibinf_db.dat"="10/15/2019 9:10 AM, 88632 bytes, A Adds the file aelidb.dat"="10/15/2019 9:10 AM, 88248 bytes, A Adds the file aemobile.dll"="10/15/2019 9:10 AM, 362072 bytes, A Adds the file aeoffice.dll"="10/15/2019 9:10 AM, 785504 bytes, A Adds the file aeoffice_gwf.dat"="10/15/2019 9:10 AM, 31528 bytes, A Adds the file aepack.dll"="10/15/2019 9:10 AM, 870016 bytes, A Adds the file aerdl.dll"="10/15/2019 9:10 AM, 1268984 bytes, A Adds the file aesbx.dll"="10/15/2019 9:10 AM, 1667056 bytes, A Adds the file aescn.dll"="10/15/2019 9:10 AM, 163488 bytes, A Adds the file aescript.dll"="10/15/2019 9:10 AM, 1148464 bytes, A Adds the file aeset.dat"="10/15/2019 9:10 AM, 3270 bytes, A Adds the file aevdf.dat"="10/15/2019 9:10 AM, 5644 bytes, A Adds the file aevdf.dll"="10/15/2019 9:10 AM, 154264 bytes, A Adds the file avupdate.exe"="1/7/2019 1:40 PM, 1967224 bytes, A Adds the file avupdate.log"="10/15/2019 9:11 AM, 184658 bytes, A Adds the file avupdate_msg.avr"="1/7/2019 1:41 PM, 6392 bytes, A Adds the file avupdate-savapilib-engine.conf"="2/7/2019 7:14 AM, 384 bytes, A Adds the file cacert.crt"="3/11/2019 2:03 PM, 6065 bytes, A Adds the file HBEDV.KEY"="1/7/2019 1:41 PM, 1024 bytes, A Adds the file local000.vdf"="10/15/2019 9:11 AM, 82297856 bytes, A Adds the file msvcp120.dll"="1/7/2019 1:41 PM, 455328 bytes, A Adds the file msvcr120.dll"="1/7/2019 1:40 PM, 970912 bytes, A Adds the file savapi.dll"="3/15/2019 10:46 AM, 1804680 bytes, A Adds the file xbv00000.vdf"="10/15/2019 9:10 AM, 43855208 bytes, A Adds the file xbv00255.vdf"="10/15/2019 9:10 AM, 2408 bytes, A Adds the folder C:\Program Files\BitSecure AV\savapi\idx Adds the file module-vdf.info"="10/15/2019 9:11 AM, 142051 bytes, A Adds the folder C:\Program Files\BitSecure AV\savapi\on_access Adds the file on-access-drivers-install.cmd"="1/7/2019 1:40 PM, 5844 bytes, A Adds the file on-access-drivers-uninstall.cmd"="1/7/2019 1:40 PM, 7569 bytes, A Adds the folder C:\Program Files\BitSecure AV\savapi\on_access\utils Adds the file on-access-drivers-final.cmd"="1/7/2019 1:40 PM, 2385 bytes, A Adds the file on-access-drivers-post.cmd"="1/7/2019 1:40 PM, 3835 bytes, A Adds the file on-access-drivers-pre.cmd"="1/7/2019 1:40 PM, 4641 bytes, A Adds the file sd_inst.exe"="1/7/2019 1:40 PM, 90368 bytes, A Adds the folder C:\Program Files\BitSecure AV\savapi\on_access\win32\vista Adds the file avgio.dll"="1/7/2019 1:40 PM, 61872 bytes, A Adds the file avgntflt.inf"="1/7/2019 1:40 PM, 2463 bytes, A Adds the file avgntflt.sys"="1/7/2019 1:40 PM, 130912 bytes, A Adds the file avipbb.inf"="1/7/2019 1:40 PM, 1962 bytes, A Adds the file avipbb.sys"="1/7/2019 1:40 PM, 156088 bytes, A Adds the file avkmgr.inf"="1/7/2019 1:40 PM, 1888 bytes, A Adds the file avkmgr.sys"="1/7/2019 1:40 PM, 35840 bytes, A Adds the folder C:\Program Files\BitSecure AV\savapi\on_access\win32\win7 Adds the file avgio.dll"="1/7/2019 1:40 PM, 61872 bytes, A Adds the file avgntflt.cat"="1/7/2019 1:40 PM, 679 bytes, A Adds the file avgntflt.inf"="1/7/2019 1:40 PM, 2463 bytes, A Adds the file avgntflt.sys"="1/7/2019 1:40 PM, 130912 bytes, A Adds the file avipbb.cat"="1/7/2019 1:40 PM, 7940 bytes, A Adds the file avipbb.inf"="1/7/2019 1:40 PM, 1962 bytes, A Adds the file avipbb.sys"="1/7/2019 1:40 PM, 156088 bytes, A Adds the file avkmgr.cat"="1/7/2019 1:40 PM, 714 bytes, A Adds the file avkmgr.inf"="1/7/2019 1:40 PM, 1888 bytes, A Adds the file avkmgr.sys"="1/7/2019 1:40 PM, 35840 bytes, A Adds the folder C:\Program Files\BitSecure AV\savapi\on_access\win32\win8 Adds the file avgio.dll"="1/7/2019 1:40 PM, 61872 bytes, A Adds the file avgntflt.cat"="1/7/2019 1:40 PM, 9565 bytes, A Adds the file avgntflt.inf"="1/7/2019 1:40 PM, 2536 bytes, A Adds the file avgntflt.sys"="1/7/2019 1:40 PM, 147576 bytes, A Adds the file avipbb.cat"="1/7/2019 1:40 PM, 9648 bytes, A Adds the file avipbb.inf"="1/7/2019 1:40 PM, 2051 bytes, A Adds the file avipbb.sys"="1/7/2019 1:40 PM, 168776 bytes, A Adds the file avkmgr.cat"="1/7/2019 1:40 PM, 9567 bytes, A Adds the file avkmgr.inf"="1/7/2019 1:40 PM, 1888 bytes, A Adds the file avkmgr.sys"="1/7/2019 1:40 PM, 53256 bytes, A Adds the folder C:\Program Files\BitSecure AV\savapi\on_access\win32\xp Adds the file avgio.dll"="1/7/2019 1:40 PM, 61872 bytes, A Adds the file avgntflt.inf"="1/7/2019 1:40 PM, 2463 bytes, A Adds the file avgntflt.sys"="1/7/2019 1:40 PM, 130912 bytes, A Adds the file avipbb.inf"="1/7/2019 1:40 PM, 1962 bytes, A Adds the file avipbb.sys"="1/7/2019 1:40 PM, 156088 bytes, A Adds the file avkmgr.inf"="1/7/2019 1:40 PM, 1888 bytes, A Adds the file avkmgr.sys"="1/7/2019 1:40 PM, 35840 bytes, A Adds the folder C:\Program Files\BitSecure AV\savapi\on_access\win64\vista Adds the file avgio.dll"="1/7/2019 1:40 PM, 61872 bytes, A Adds the file avgntflt.cat"="1/7/2019 1:40 PM, 7831 bytes, A Adds the file avgntflt.inf"="1/7/2019 1:40 PM, 2536 bytes, A Adds the file avgntflt.sys"="1/7/2019 1:40 PM, 196344 bytes, A Adds the file avipbb.cat"="1/7/2019 1:40 PM, 7940 bytes, A Adds the file avipbb.inf"="1/7/2019 1:40 PM, 2052 bytes, A Adds the file avipbb.sys"="1/7/2019 1:40 PM, 153552 bytes, A Adds the file avkmgr.cat"="1/7/2019 1:40 PM, 7829 bytes, A Adds the file avkmgr.inf"="1/7/2019 1:40 PM, 2000 bytes, A Adds the file avkmgr.sys"="1/7/2019 1:40 PM, 35328 bytes, A Adds the folder C:\Program Files\BitSecure AV\savapi\on_access\win64\win7 Adds the file avgio.dll"="1/7/2019 1:40 PM, 61872 bytes, A Adds the file avgntflt.cat"="1/7/2019 1:40 PM, 7831 bytes, A Adds the file avgntflt.inf"="1/7/2019 1:40 PM, 2536 bytes, A Adds the file avgntflt.sys"="1/7/2019 1:40 PM, 196344 bytes, A Adds the file avipbb.cat"="1/7/2019 1:40 PM, 7940 bytes, A Adds the file avipbb.inf"="1/7/2019 1:40 PM, 2052 bytes, A Adds the file avipbb.sys"="1/7/2019 1:40 PM, 153552 bytes, A Adds the file avkmgr.cat"="1/7/2019 1:40 PM, 7829 bytes, A Adds the file avkmgr.inf"="1/7/2019 1:40 PM, 2000 bytes, A Adds the file avkmgr.sys"="1/7/2019 1:40 PM, 35328 bytes, A Adds the folder C:\Program Files\BitSecure AV\savapi\on_access\win64\win8 Adds the file avgio.dll"="1/7/2019 1:40 PM, 61872 bytes, A Adds the file avgntflt.cat"="1/7/2019 1:40 PM, 9573 bytes, A Adds the file avgntflt.inf"="1/7/2019 1:40 PM, 2536 bytes, A Adds the file avgntflt.sys"="1/7/2019 1:40 PM, 178840 bytes, A Adds the file avipbb.cat"="1/7/2019 1:40 PM, 9656 bytes, A Adds the file avipbb.inf"="1/7/2019 1:40 PM, 2052 bytes, A Adds the file avipbb.sys"="1/7/2019 1:40 PM, 169864 bytes, A Adds the file avkmgr.cat"="1/7/2019 1:40 PM, 9574 bytes, A Adds the file avkmgr.inf"="1/7/2019 1:40 PM, 2000 bytes, A Adds the file avkmgr.sys"="1/7/2019 1:40 PM, 44488 bytes, A Adds the folder C:\Program Files\BitSecure AV\savapi\on_access\win64\xp Adds the file avgio.dll"="1/7/2019 1:40 PM, 61872 bytes, A Adds the file avgntflt.inf"="1/7/2019 1:40 PM, 2400 bytes, A Adds the file avgntflt.sys"="1/7/2019 1:40 PM, 187592 bytes, A Adds the file avipbb.inf"="1/7/2019 1:40 PM, 1912 bytes, A Adds the file avipbb.sys"="1/7/2019 1:40 PM, 144832 bytes, A Adds the file avkmgr.inf"="1/7/2019 1:40 PM, 1937 bytes, A Adds the file avkmgr.sys"="1/7/2019 1:40 PM, 27424 bytes, A Adds the folder C:\Program Files\BitSecure AV\savapi\tmp Adds the folder C:\Program Files\BitSecure AV\websec Adds the file ICSharpCode.SharpZipLib.dll"="9/23/2019 9:41 AM, 208040 bytes, A Adds the file langs.db"="9/3/2019 1:01 PM, 65536 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="9/23/2019 9:41 AM, 186536 bytes, A Adds the file Newtonsoft.Json.dll"="9/23/2019 9:41 AM, 463016 bytes, A Adds the file System.Data.SQLite.DLL"="9/23/2019 9:41 AM, 347304 bytes, A Adds the file System.Data.SQLite.Linq.dll"="9/23/2019 9:41 AM, 212136 bytes, A Adds the file System.Threading.dll"="1/7/2019 1:41 PM, 387408 bytes, A Adds the file TAFactory.IconPack.dll"="9/23/2019 9:42 AM, 52392 bytes, A Adds the file WebExtNotifier.exe"="9/23/2019 9:41 AM, 1280168 bytes, A Adds the file WebExtNotifier.exe.config"="9/4/2019 11:48 AM, 1321 bytes, A Adds the folder C:\Program Files\BitSecure AV\websec\x64 Adds the file SQLite.Interop.dll"="9/23/2019 9:42 AM, 1495720 bytes, A Adds the folder C:\Program Files\BitSecure AV\websec\x86 Adds the file SQLite.Interop.dll"="9/23/2019 9:42 AM, 1062568 bytes, A Adds the folder C:\Program Files\BitSecure AV\x64 Adds the file SQLite.Interop.dll"="9/23/2019 9:41 AM, 1495720 bytes, A Adds the folder C:\Program Files\BitSecure AV\x86 Adds the file SQLite.Interop.dll"="9/23/2019 9:41 AM, 1062568 bytes, A Adds the folder C:\ProgramData\bitsecureav.com Adds the folder C:\ProgramData\bitsecureav.com\BitSecure AV Adds the file act.xml"="10/15/2019 9:03 AM, 346 bytes, A Adds the file ApSetting.xml"="10/15/2019 9:03 AM, 252 bytes, A Adds the file AvSetting.db"="10/15/2019 10:05 AM, 32768 bytes, A Adds the file bkp.xml"="10/15/2019 9:15 AM, 349 bytes, A Adds the file Cuarentena.db"="10/15/2019 9:03 AM, 12288 bytes, A Adds the file DbVersion.xml"="10/15/2019 9:12 AM, 648 bytes, A Adds the file Errorlog.txt"="10/15/2019 10:05 AM, 10644 bytes, A Adds the file inslog.log"="10/15/2019 9:02 AM, 1312 bytes, A Adds the file Result.cb"="10/15/2019 10:05 AM, 27242 bytes, A Adds the file startup.xml"="10/15/2019 9:12 AM, 3757 bytes, A Adds the file update.xml"="10/15/2019 9:03 AM, 330 bytes, A Adds the file whitelist.xml"="10/15/2019 9:03 AM, 26480 bytes, A Adds the folder C:\ProgramData\bitsecureav.com\BitSecure AV\Backups Adds the file bsavbak_15102019_091312.zip"="10/15/2019 9:15 AM, 18261485 bytes, A Adds the folder C:\ProgramData\bitsecureav.com\BitSecure AV\junklog Adds the file CGTrace_Cache.xml"="10/15/2019 9:13 AM, 49260 bytes, A Adds the file CGTrace_Cookies.xml"="10/15/2019 9:12 AM, 4443 bytes, A Adds the file CGTrace_History.xml"="10/15/2019 9:12 AM, 768 bytes, A Adds the file CGTrace_Session.xml"="10/15/2019 9:13 AM, 1940 bytes, A Adds the file FFTrace_Bookmark_Backup.xml"="10/15/2019 9:12 AM, 944 bytes, A Adds the file IETrace_History.xml"="10/15/2019 9:12 AM, 883 bytes, A Adds the file IETrace_Temp_Internet_Files_Folder.xml"="10/15/2019 9:12 AM, 14352 bytes, A Adds the file LogFilesActivityTrace.xml"="10/15/2019 9:13 AM, 513 bytes, A Adds the file TempFiles.xml"="10/15/2019 9:13 AM, 85082 bytes, A Adds the file ThumbnailCache.xml"="10/15/2019 9:13 AM, 730 bytes, A Adds the folder C:\ProgramData\bitsecureav.com\BitSecure Web Safe\FF Adds the file com.bitsecurewebsafe.native.json"="10/15/2019 9:12 AM, 244 bytes, A Adds the file install_host.bat"="10/15/2019 9:12 AM, 140 bytes, A Adds the folder C:\ProgramData\bitsecureav.com\BitSecure Web Safe\GC Adds the file com.bitsecurewebsafe.native.json"="10/15/2019 9:12 AM, 250 bytes, A Adds the file install_host.bat"="10/15/2019 9:12 AM, 146 bytes, A Adds the folder C:\ProgramData\bitsecureav.com\BitSecure Web Safe\IE Adds the file com.bitsecurewebsafe.native.json"="10/15/2019 9:12 AM, 160 bytes, A Adds the file install_host.bat"="10/15/2019 9:12 AM, 185 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BitSecure AV Adds the file BitSecure AV.lnk"="10/15/2019 9:02 AM, 1780 bytes, A Adds the file Buy BitSecure AV.lnk"="10/15/2019 9:02 AM, 1800 bytes, A Adds the file Uninstall BitSecure AV.lnk"="10/15/2019 9:02 AM, 1819 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\bitsecureav.com\BitSecure Web Safe Adds the file 2019_10_15_ErrorLog.txt"="10/15/2019 9:12 AM, 4176 bytes, A Adds the file langs.db"="9/3/2019 1:01 PM, 65536 bytes, A Adds the file webblocker.db"="9/3/2019 1:01 PM, 2015232 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file BitSecure AV.lnk"="10/15/2019 9:02 AM, 896 bytes, A In the existing folder C:\Windows\System32\drivers Adds the file avgntflt.sys"="1/7/2019 1:40 PM, 196344 bytes, A Adds the file avipbb.sys"="1/7/2019 1:40 PM, 153552 bytes, A Adds the file avkmgr.sys"="1/7/2019 1:40 PM, 35328 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file BitSecure AV_Logon"="10/15/2019 9:03 AM, 3038 bytes, A In the existing folder C:\Windows\SysWOW64 Adds the file logAV_15-10-19_10-04-36"="10/15/2019 10:05 AM, 1673 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\bitsecureav.com\BitSecure AV] "afterInstallUrl"="REG_SZ", "http://ins.bitsecureav.com/install/btsav/?" "country"="REG_SZ", "" "dbavailable"="REG_DWORD", 0 "expired"="REG_DWORD", 0 "hdata"="REG_BINARY, ......................................................... "InstallString"="REG_SZ", "C:\Program Files (x86)\BitSecure AV" "ipaddrurl"="REG_SZ", "http://ins.bitsecureav.com/getip/" "isfirstshow"="REG_DWORD", 0 "isinstfont"="REG_DWORD", 1 "isppi"="REG_DWORD", 0 "ISTELNO"="REG_DWORD", 0 "LangCode"="REG_SZ", "en" "lstscnsett"="REG_BINARY, .......................................................... "paramurl"="REG_SZ", "http://trkr.bitsecureav.com/ipfiles/" "pdtm"="REG_SZ", "60" "protupdatedate"="REG_SZ", "10-15-2019" "PurchaseURL"="REG_SZ", "http://store.bitsecureav.com/btsav/plan/" "pxl"="REG_SZ", "btsav4680_btsav4579_btsav2332" "reg"="REG_DWORD", 0 "RenewURL"="REG_SZ", "http://store.bitsecureav.com/btsav/renewal/" "runcam"="REG_DWORD", 1 "runpixel"="REG_DWORD", 1 "runsrc"="REG_DWORD", 1 "showpriceplan"="REG_DWORD", 1 "supporturl"="REG_SZ", "http://www.bitsecureav.com/support/" "TELNO"="REG_SZ", "" "trialshwng"="REG_SZ", "3" "utm_campaign"="REG_SZ", "btsavdflt" "utm_medium"="REG_SZ", "btsavdflt" "utm_source"="REG_SZ", "btsavdflt" "weburl"="REG_SZ", "http://www.bitsecureav.com" "x-ccode"="REG_SZ", "us" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "89_187_177_135" [HKEY_LOCAL_MACHINE\SOFTWARE\bsav-pr] [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\bitsecureav.com\BitSecure AV] "lstscnsett"="REG_BINARY, ................................................... [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\bsav-pr] [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\bitsecureav.com BitSecure AV] "DisplayIcon"="REG_SZ", "C:\Program Files\BitSecure AV\application.ico" "DisplayName"="REG_SZ", "BitSecure AV" "DisplayVersion"="REG_SZ", "1.0.0.10" "HelpLink"="REG_SZ", "http://www.bitsecureav.com/support/" "InstallLocation"="REG_SZ", ""C:\Program Files\BitSecure AV"" "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "bitsecureav.com" "QuietUninstallString"="REG_SZ", ""C:\Program Files\BitSecure AV\uninstall.exe" /S" "UninstallString"="REG_SZ", ""C:\Program Files\BitSecure AV\uninstall.exe"" "URLInfoAbout"="REG_SZ", "https://www.bitsecureav.com/#contactPage" "URLUpdateInfo"="REG_SZ", "https://www.bitsecureav.com/support/" "VersionMajor"="REG_DWORD", 1 "VersionMinor"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Yml0c2VjdXJlYXYuY29t\Qml0U2VjdXJlIEFW\ACT] "data"="REG_BINARY, ...................................................................... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\avgntflt] "DependOnService"="REG_MULTI_SZ, "FltMgr " "Description"="REG_SZ", "Avira mini-filter driver" "DisplayName"="REG_SZ", "avgntflt" "ErrorControl"="REG_DWORD", 1 "Group"="REG_SZ", "FSFilter Anti-Virus" "ImagePath"="REG_EXPAND_SZ, "system32\DRIVERS\avgntflt.sys" "SDKMode"="REG_DWORD", 1 "Start"="REG_DWORD", 2 "SupportedFeatures"="REG_DWORD", 3 "Tag"="REG_DWORD", 2 "Type"="REG_DWORD", 2 "WOW64"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\avgntflt\Enum] "0"="REG_SZ", "Root\LEGACY_AVGNTFLT\0000" "Count"="REG_DWORD", 1 "NextInstance"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\avgntflt\Instances] "DefaultInstance"="REG_SZ", "avgntflt" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\avgntflt\Instances\avgntflt] "Altitude"="REG_SZ", "320500" "Flags"="REG_DWORD", 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\avipbb] "DebugFlags"="REG_SZ", "0" "DependOnService"="REG_SZ", "avkmgr" "Description"="REG_SZ", "Avira Security Enhancement Driver" "DisplayName"="REG_SZ", "avipbb" "ErrorControl"="REG_DWORD", 1 "Group"="REG_SZ", "Avira" "ImagePath"="REG_EXPAND_SZ, "system32\DRIVERS\avipbb.sys" "InternalFlags"="REG_DWORD", 160 "Start"="REG_DWORD", 1 "Tag"="REG_DWORD", 2 "Type"="REG_DWORD", 1 "WOW64"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\avipbb\Enum] "0"="REG_SZ", "Root\LEGACY_AVIPBB\0000" "Count"="REG_DWORD", 1 "NextInstance"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\avkmgr] "Description"="REG_SZ", "Avira Manager Driver" "DisplayName"="REG_SZ", "avkmgr" "ErrorControl"="REG_DWORD", 1 "Group"="REG_SZ", "Avira" "ImagePath"="REG_EXPAND_SZ, "system32\DRIVERS\avkmgr.sys" "Start"="REG_DWORD", 1 "Tag"="REG_DWORD", 1 "Type"="REG_DWORD", 1 "WOW64"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\avkmgr\Enum] "0"="REG_SZ", "Root\LEGACY_AVKMGR\0000" "Count"="REG_DWORD", 1 "NextInstance"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BSAVProtection] "Description"="REG_SZ", "Responsible for BitSecure AV Protection." "DisplayName"="REG_SZ", "BitSecure AV" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, ""C:\Program Files\BitSecure AV\bsavprotection.exe"" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 "WOW64"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application] "AutoBackupLogFiles"="REG_DWORD", 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\BSAVProtection] "EventMessageFile"="REG_EXPAND_SZ, "C:\Windows\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System\avgntflt] "EventMessageFile"="REG_EXPAND_SZ, "%SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\drivers\avgntflt.sys" "TypesSupported"="REG_DWORD", 7 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System\avipbb] "EventMessageFile"="REG_EXPAND_SZ, "%SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\drivers\avipbb.sys" "TypesSupported"="REG_DWORD", 7 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System\avkmgr] "EventMessageFile"="REG_EXPAND_SZ, "%SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\drivers\avkmgr.sys" "TypesSupported"="REG_DWORD", 7 [HKEY_USERS\.DEFAULT\Software\bitsecureav.com\BitSecure AV] [HKEY_CURRENT_USER\Software\bitsecureav.com\BitSecure AV] "InstallString"="REG_SZ", "C:\Program Files\BitSecure AV" "LangCode"="REG_SZ", "en" "ptactdy"="REG_DWORD", 4 "pxl"="REG_SZ", "btsav4680_btsav4579_btsav2332" "tactdy"="REG_DWORD", 3 "utm_campaign"="REG_SZ", "btsavdflt" "utm_medium"="REG_SZ", "btsavdflt" "utm_source"="REG_SZ", "btsavdflt" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "{user_ip}" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/15/19 Scan Time: 10:55 AM Log File: 987f5cd2-ef29-11e9-beaa-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.12915 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 234427 Threats Detected: 541 Threats Quarantined: 541 Time Elapsed: 23 min, 18 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 2 PUP.Optional.BitSecureAV, C:\PROGRAM FILES\BITSECURE AV\BSAVPROTECTION.EXE, Quarantined, [952], [747042],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\bsav.exe, Quarantined, [952], [747031],1.0.12915 Module: 37 PUP.Optional.BitSecureAV, C:\PROGRAM FILES\BITSECURE AV\BSAVPROTECTION.EXE, Quarantined, [952], [747042],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aebb.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aecore.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aecrypto.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aedroid.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aeemu.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aeexp.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aegen.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aehelp.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aeheur.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aelibinf.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aemobile.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aeoffice.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aepack.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aerdl.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aesbx.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aescn.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aescript.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aevdf.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\savapi.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\x64\SQLite.Interop.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\x86\SQLite.Interop.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\avgio.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\bsav.exe, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\Savapi.NET.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\System.Data.SQLite.DLL, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\System.Data.SQLite.DLL, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\System.Threading.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\TAFactory.IconPack.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\WPFToolkit.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\Interop.IWshRuntimeLibrary.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\Interop.NetFwTypeLib.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\Interop.Shell32.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\Microsoft.Win32.TaskScheduler.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\Microsoft.Win32.TaskScheduler.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\msvcr120.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\Newtonsoft.Json.dll, Quarantined, [952], [747031],1.0.12915 Registry Key: 12 PUP.Optional.BitSecureAV, HKU\S-1-5-18\SOFTWARE\bitsecureav.com, Quarantined, [952], [747043],1.0.12915 PUP.Optional.BitSecureAV, HKLM\SOFTWARE\bitsecureav.com, Quarantined, [952], [747039],1.0.12915 PUP.Optional.BitSecureAV, HKLM\SOFTWARE\bsav-pr, Quarantined, [952], [747040],1.0.12915 PUP.Optional.BitSecureAV, HKLM\SOFTWARE\Yml0c2VjdXJlYXYuY29t, Quarantined, [952], [747041],1.0.12915 PUP.Optional.BitSecureAV, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\BITSECURE AV_LOGON, Quarantined, [952], [747035],1.0.12915 PUP.Optional.BitSecureAV, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{1ED375AE-CA49-4618-B647-E2A404CAA456}, Quarantined, [952], [747035],1.0.12915 PUP.Optional.BitSecureAV, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{1ED375AE-CA49-4618-B647-E2A404CAA456}, Quarantined, [952], [747035],1.0.12915 PUP.Optional.BitSecureAV, HKCU\SOFTWARE\bitsecureav.com, Quarantined, [952], [747043],1.0.12915 PUP.Optional.BitSecureAV, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\BSAVProtection, Quarantined, [952], [747042],1.0.12915 PUP.Optional.BitSecureAV, HKLM\SOFTWARE\WOW6432NODE\bitsecureav.com, Quarantined, [952], [747039],1.0.12915 PUP.Optional.BitSecureAV, HKLM\SOFTWARE\WOW6432NODE\bsav-pr, Quarantined, [952], [747040],1.0.12915 PUP.Optional.BitSecureAV, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\bitsecureav.com BitSecure AV, Quarantined, [952], [747031],1.0.12915 Registry Value: 1 PUP.Optional.BitSecureAV, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{1ED375AE-CA49-4618-B647-E2A404CAA456}|PATH, Quarantined, [952], [747037],1.0.12915 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 33 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\vista, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\vista, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\win7, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\win8, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\win7, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\win8, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\xp, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\xp, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\utils, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\AutoItInstaller, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\idx, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\tmp, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\websec\x64, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\websec\x86, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\websec, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\x64, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\x86, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\PROGRAM FILES\BITSECURE AV, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\BITSECURE AV, Quarantined, [952], [747032],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure Web Safe\FF, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure Web Safe\GC, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure Web Safe\IE, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure AV\Backups, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure AV\junklog, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure Web Safe, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure AV, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\PROGRAMDATA\BITSECUREAV.COM, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\Users\{username}\AppData\Roaming\bitsecureav.com\BitSecure Web Safe, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\USERS\{username}\APPDATA\ROAMING\BITSECUREAV.COM, Quarantined, [952], [747033],1.0.12915 File: 456 PUP.Optional.BitSecureAV, C:\USERS\PUBLIC\DESKTOP\BITSECURE AV.LNK, Quarantined, [952], [747034],1.0.12915 PUP.Optional.BitSecureAV, C:\WINDOWS\SYSTEM32\TASKS\BITSECURE AV_LOGON, Quarantined, [952], [747035],1.0.12915 PUP.Optional.BitSecureAV, C:\PROGRAM FILES\BITSECURE AV\BSAVPROTECTION.EXE, Quarantined, [952], [747042],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\AutoItInstaller\Uninstall.exe, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\idx\module-vdf.info, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\utils\on-access-drivers-final.cmd, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\utils\on-access-drivers-post.cmd, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\utils\on-access-drivers-pre.cmd, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\utils\sd_inst.exe, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\vista\avgio.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\vista\avgntflt.inf, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\vista\avgntflt.sys, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\vista\avipbb.inf, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\vista\avipbb.sys, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\vista\avkmgr.inf, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\vista\avkmgr.sys, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\win7\avgio.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\win7\avgntflt.cat, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\win7\avgntflt.inf, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\win7\avgntflt.sys, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\win7\avipbb.cat, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\win7\avipbb.inf, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\win7\avipbb.sys, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\win7\avkmgr.cat, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\win7\avkmgr.inf, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\win7\avkmgr.sys, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\win8\avgio.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\win8\avgntflt.cat, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\win8\avgntflt.inf, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\win8\avgntflt.sys, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\win8\avipbb.cat, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\win8\avipbb.inf, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\win8\avipbb.sys, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\win8\avkmgr.cat, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\win8\avkmgr.inf, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\win8\avkmgr.sys, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\xp\avgio.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\xp\avgntflt.inf, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\xp\avgntflt.sys, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\xp\avipbb.inf, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\xp\avipbb.sys, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\xp\avkmgr.inf, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win32\xp\avkmgr.sys, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\vista\avgio.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\vista\avgntflt.cat, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\vista\avgntflt.inf, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\vista\avgntflt.sys, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\vista\avipbb.cat, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\vista\avipbb.inf, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\vista\avipbb.sys, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\vista\avkmgr.cat, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\vista\avkmgr.inf, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\vista\avkmgr.sys, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\win7\avgio.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\win7\avgntflt.cat, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\win7\avgntflt.inf, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\win7\avgntflt.sys, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\win7\avipbb.cat, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\win7\avipbb.inf, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\win7\avipbb.sys, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\win7\avkmgr.cat, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\win7\avkmgr.inf, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\win7\avkmgr.sys, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\win8\avgio.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\win8\avgntflt.cat, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\win8\avgntflt.inf, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\win8\avgntflt.sys, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\win8\avipbb.cat, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\win8\avipbb.inf, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\win8\avipbb.sys, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\win8\avkmgr.cat, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\win8\avkmgr.inf, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\win8\avkmgr.sys, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\xp\avgio.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\xp\avgntflt.inf, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\xp\avgntflt.sys, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\xp\avipbb.inf, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\xp\avipbb.sys, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\xp\avkmgr.inf, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\win64\xp\avkmgr.sys, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\on-access-drivers-install.cmd, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\on_access\on-access-drivers-uninstall.cmd, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aebb.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aecore.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aecrypto.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aedroid.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aedroid_gwf.dat, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aeemu.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aeexp.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aeexp_gwf.dat, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aegen.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aehelp.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aeheur.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aeheur_agen.dat, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aeheur_gwf.dat, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aeheur_mv.dat, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aelibinf.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aelibinf_db.dat, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aelidb.dat, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aemobile.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aeoffice.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aeoffice_gwf.dat, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aepack.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aerdl.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aesbx.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aescn.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aescript.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aeset.dat, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\xbv00003.vdf, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\xbv00255.vdf, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\aevdf.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\avupdate-savapilib-engine.conf, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\avupdate.exe, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\avupdate.log, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\avupdate_msg.avr, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\cacert.crt, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\HBEDV.KEY, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\local000.vdf, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\msvcp120.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\msvcr120.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\savapi.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\xbv00000.vdf, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\savapi\xbv00001.vdf, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\websec\x64\SQLite.Interop.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\websec\x86\SQLite.Interop.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\websec\ICSharpCode.SharpZipLib.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\websec\langs.db, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\websec\Microsoft.Win32.TaskScheduler.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\websec\Newtonsoft.Json.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\websec\System.Data.SQLite.DLL, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\websec\System.Data.SQLite.Linq.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\websec\System.Threading.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\websec\TAFactory.IconPack.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\websec\WebExtNotifier.exe, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\websec\WebExtNotifier.exe.config, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\x64\SQLite.Interop.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\x86\SQLite.Interop.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\NLog.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\application.ico, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\avgio.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\bsav.exe, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\bsav.exe.config, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\bsavmntr.exe, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\bsavmntr.exe.config, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\bsavprotection.exe.config, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\bsavprotection.InstallState, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\HtmlRenderer.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\HtmlRenderer.WPF.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\Savapi.NET.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\System.Data.SQLite.DLL, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\System.Data.SQLite.Linq.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\System.Threading.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\TAFactory.IconPack.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\Uninstall.exe, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\WPFToolkit.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\ICSharpCode.SharpZipLib.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\Interop.IWshRuntimeLibrary.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\Interop.NetFwTypeLib.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\Interop.SHDocVw.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\Interop.Shell32.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\langs.db, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\Microsoft.Win32.TaskScheduler.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\Moq.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\msvcr120.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\Program Files\BitSecure AV\Newtonsoft.Json.dll, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\BitSecure AV.lnk, Quarantined, [952], [747031],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BitSecure AV\BitSecure AV.lnk, Quarantined, [952], [747032],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BitSecure AV\Buy BitSecure AV.lnk, Quarantined, [952], [747032],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BitSecure AV\Uninstall BitSecure AV.lnk, Quarantined, [952], [747032],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure AV\Backups\bsavbak_15102019_091312.zip, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure AV\junklog\CGTrace_Cache.xml, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure AV\junklog\CGTrace_Cookies.xml, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure AV\junklog\CGTrace_History.xml, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure AV\junklog\CGTrace_Session.xml, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure AV\junklog\FFTrace_Bookmark_Backup.xml, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure AV\junklog\IETrace_History.xml, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure AV\junklog\IETrace_Temp_Internet_Files_Folder.xml, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure AV\junklog\LogFilesActivityTrace.xml, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure AV\junklog\TempFiles.xml, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure AV\junklog\ThumbnailCache.xml, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure AV\act.xml, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure AV\ApSetting.xml, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure AV\AvSetting.db, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure AV\bkp.xml, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure AV\Cuarentena.db, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure AV\DbVersion.xml, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure AV\Errorlog.txt, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure AV\inslog.log, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure AV\Result.cb, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure AV\startup.xml, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure AV\update.xml, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure AV\whitelist.xml, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure Web Safe\FF\com.bitsecurewebsafe.native.json, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure Web Safe\FF\install_host.bat, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure Web Safe\GC\com.bitsecurewebsafe.native.json, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure Web Safe\GC\install_host.bat, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure Web Safe\IE\com.bitsecurewebsafe.native.json, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\ProgramData\bitsecureav.com\BitSecure Web Safe\IE\install_host.bat, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\Users\{username}\AppData\Roaming\bitsecureav.com\BitSecure Web Safe\2019_10_15_ErrorLog.txt, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\Users\{username}\AppData\Roaming\bitsecureav.com\BitSecure Web Safe\langs.db, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\Users\{username}\AppData\Roaming\bitsecureav.com\BitSecure Web Safe\webblocker.db, Quarantined, [952], [747033],1.0.12915 PUP.Optional.BitSecureAV, C:\USERS\{username}\DESKTOP\BITSECUREAV.EXE, Quarantined, [952], [747047],1.0.12915 PUP.Optional.BitSecureAV, C:\USERS\{username}\DOWNLOADS\BITSECUREAV.EXE, Quarantined, [952], [747047],1.0.12915 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  5. What is UP Tab?The Malwarebytes research team has determined that UP Tab is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by UP Tab?You may see this browser extension:these warnings during install:You may see this icon in your browsers menu-bar:this new startpage:and this new setting:How did UP Tab get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove UP Tab?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of UP Tab? No, Malwarebytes' Anti-Malware removes UP Tab completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the UP Tab hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR NewTab: Default -> Active:"chrome-extension://ackfacgcbokflmiamcckdpcmdnkommof/index.html" CHR Extension: (UP Tab) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof [2019-10-14] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0 Adds the file background.html"="5/23/2019 4:22 PM, 112 bytes, A Adds the file index.html"="6/20/2019 10:41 AM, 1370 bytes, A Adds the file manifest.json"="10/14/2019 8:31 AM, 906 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\_metadata Adds the file computed_hashes.json"="10/14/2019 8:31 AM, 34128 bytes, A Adds the file verified_contents.json"="6/20/2019 4:17 PM, 3989 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\assets Adds the file logo-15px.png"="6/19/2019 3:30 PM, 800 bytes, A Adds the file logo-20px.png"="6/19/2019 3:16 PM, 1228 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\assets\images Adds the file 1.jpg"="6/20/2019 4:05 PM, 231894 bytes, A Adds the file 2.jpg"="6/20/2019 4:07 PM, 565056 bytes, A Adds the file 3.jpg"="6/20/2019 4:08 PM, 314758 bytes, A Adds the file 4.jpg"="6/20/2019 4:10 PM, 264906 bytes, A Adds the file 5.jpg"="6/20/2019 4:11 PM, 166341 bytes, A Adds the file 6.jpg"="6/20/2019 4:13 PM, 281063 bytes, A Adds the file 7.jpg"="6/20/2019 4:14 PM, 272001 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\icons Adds the file icon128.png"="10/14/2019 8:31 AM, 6554 bytes, A Adds the file icon16.png"="10/14/2019 8:31 AM, 560 bytes, A Adds the file icon48.png"="10/14/2019 8:31 AM, 2044 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\js Adds the file bg.js"="5/28/2019 11:34 AM, 214 bytes, A Adds the file gossip.js"="5/28/2019 11:49 AM, 1539 bytes, A Adds the file jquery-3.4.1.min.js"="5/23/2019 6:43 PM, 88145 bytes, A Adds the file jquery-ui.min.css"="9/14/2016 5:34 PM, 32076 bytes, A Adds the file jquery-ui.min.js"="9/14/2016 5:34 PM, 253669 bytes, A Adds the file moment-with-locales.min.js"="5/23/2019 6:42 PM, 336451 bytes, A Adds the file timeupdate.js"="6/20/2019 10:49 AM, 368 bytes, A Adds the file wallpaper.js"="6/20/2019 4:15 PM, 168 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\res Adds the file style2.css"="6/19/2019 3:57 PM, 3036 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ackfacgcbokflmiamcckdpcmdnkommof"="REG_SZ", "339C1608593D4E9E00E6CF6AFAD2E2FDFD16D98A08B91C98A2F1EC35CA6F4A78" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/14/19 Scan Time: 8:44 AM Log File: 1e7e9410-ee4e-11e9-9e68-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.12895 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 234174 Threats Detected: 37 Threats Quarantined: 37 Time Elapsed: 7 min, 53 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.CoinUP, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ackfacgcbokflmiamcckdpcmdnkommof, Quarantined, [271], [744817],1.0.12895 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 8 PUP.Optional.CoinUP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\assets\images, Quarantined, [271], [744817],1.0.12895 PUP.Optional.CoinUP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\_metadata, Quarantined, [271], [744817],1.0.12895 PUP.Optional.CoinUP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\assets, Quarantined, [271], [744817],1.0.12895 PUP.Optional.CoinUP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\icons, Quarantined, [271], [744817],1.0.12895 PUP.Optional.CoinUP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\res, Quarantined, [271], [744817],1.0.12895 PUP.Optional.CoinUP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\js, Quarantined, [271], [744817],1.0.12895 PUP.Optional.CoinUP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0, Quarantined, [271], [744817],1.0.12895 PUP.Optional.CoinUP, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\ACKFACGCBOKFLMIAMCCKDPCMDNKOMMOF, Quarantined, [271], [744817],1.0.12895 File: 28 PUP.Optional.CoinUP, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [271], [744817],1.0.12895 PUP.Optional.CoinUP, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [271], [744817],1.0.12895 PUP.Optional.CoinUP, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\ACKFACGCBOKFLMIAMCCKDPCMDNKOMMOF\2.0.2_0\INDEX.HTML, Quarantined, [271], [744817],1.0.12895 PUP.Optional.CoinUP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\assets\images\1.jpg, Quarantined, [271], [744817],1.0.12895 PUP.Optional.CoinUP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\assets\images\2.jpg, Quarantined, [271], [744817],1.0.12895 PUP.Optional.CoinUP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\assets\images\3.jpg, Quarantined, [271], [744817],1.0.12895 PUP.Optional.CoinUP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\assets\images\4.jpg, Quarantined, [271], [744817],1.0.12895 PUP.Optional.CoinUP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\assets\images\5.jpg, Quarantined, [271], [744817],1.0.12895 PUP.Optional.CoinUP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\assets\images\6.jpg, Quarantined, [271], [744817],1.0.12895 PUP.Optional.CoinUP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\assets\images\7.jpg, Quarantined, [271], [744817],1.0.12895 PUP.Optional.CoinUP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\assets\logo-15px.png, Quarantined, [271], [744817],1.0.12895 PUP.Optional.CoinUP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\assets\logo-20px.png, Quarantined, [271], [744817],1.0.12895 PUP.Optional.CoinUP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\icons\icon128.png, Quarantined, [271], [744817],1.0.12895 PUP.Optional.CoinUP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\icons\icon16.png, Quarantined, [271], [744817],1.0.12895 PUP.Optional.CoinUP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\icons\icon48.png, Quarantined, [271], [744817],1.0.12895 PUP.Optional.CoinUP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\js\bg.js, Quarantined, [271], [744817],1.0.12895 PUP.Optional.CoinUP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\js\gossip.js, Quarantined, [271], [744817],1.0.12895 PUP.Optional.CoinUP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\js\jquery-3.4.1.min.js, Quarantined, [271], [744817],1.0.12895 PUP.Optional.CoinUP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\js\jquery-ui.min.css, Quarantined, [271], [744817],1.0.12895 PUP.Optional.CoinUP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\js\jquery-ui.min.js, Quarantined, [271], [744817],1.0.12895 PUP.Optional.CoinUP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\js\moment-with-locales.min.js, Quarantined, [271], [744817],1.0.12895 PUP.Optional.CoinUP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\js\timeupdate.js, Quarantined, [271], [744817],1.0.12895 PUP.Optional.CoinUP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\js\wallpaper.js, Quarantined, [271], [744817],1.0.12895 PUP.Optional.CoinUP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\res\style2.css, Quarantined, [271], [744817],1.0.12895 PUP.Optional.CoinUP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\_metadata\computed_hashes.json, Quarantined, [271], [744817],1.0.12895 PUP.Optional.CoinUP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\_metadata\verified_contents.json, Quarantined, [271], [744817],1.0.12895 PUP.Optional.CoinUP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\background.html, Quarantined, [271], [744817],1.0.12895 PUP.Optional.CoinUP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ackfacgcbokflmiamcckdpcmdnkommof\2.0.2_0\manifest.json, Quarantined, [271], [744817],1.0.12895 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  6. What is PDF Converter HD Search?The Malwarebytes research team has determined that PDF Converter HD Search is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one is a search hijacker and uses web push notifications.How do I know if my computer is affected by PDF Converter HD Search?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and these changed settings:How did PDF Converter HD Search get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove PDF Converter HD Search?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of PDF Converter HD Search? No, Malwarebytes removes PDF Converter HD Search completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the PDF Converter HD Search hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.pdfconverterhd.com/?q={searchTerms}&publisher=pdfconverterhd&barcodeid=560810000000000 CHR DefaultSearchKeyword: Default -> PDFConverterHD CHR DefaultSuggestURL: Default -> hxxps://api.pdfconverterhd.com/suggest/get?q={searchTerms} CHR Extension: (PDFConverterHD) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boepdioacnnfechdelcnhpjkelekoajf [2019-10-11] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boepdioacnnfechdelcnhpjkelekoajf\1.0.3_0 Adds the file manifest.json"="10/11/2019 9:07 AM, 2129 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boepdioacnnfechdelcnhpjkelekoajf\1.0.3_0\_metadata Adds the file computed_hashes.json"="10/11/2019 9:07 AM, 6088 bytes, A Adds the file verified_contents.json"="10/4/2019 2:11 AM, 1921 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boepdioacnnfechdelcnhpjkelekoajf\1.0.3_0\images\icons Adds the file 128x128.png"="10/11/2019 9:07 AM, 8538 bytes, A Adds the file 16x16.png"="10/11/2019 9:07 AM, 721 bytes, A Adds the file 64x64.png"="10/11/2019 9:07 AM, 4008 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boepdioacnnfechdelcnhpjkelekoajf\1.0.3_0\scripts Adds the file background.js"="9/26/2019 5:01 PM, 511633 bytes, A Adds the file sitecontent.js"="9/26/2019 5:01 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_boepdioacnnfechdelcnhpjkelekoajf Adds the file PDF Converter HD Search.ico"="10/11/2019 9:07 AM, 198469 bytes, A Adds the file PDF Converter HD Search.ico.md5"="10/11/2019 9:07 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "boepdioacnnfechdelcnhpjkelekoajf"="REG_SZ", "D988A72A53370F3525AAC37B03F775D1858351AE3750C7C91EC3C4A9737CDA49" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/11/19 Scan Time: 9:18 AM Log File: 5eff5df2-ebf7-11e9-96a7-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.12853 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 234309 Threats Detected: 19 Threats Quarantined: 19 Time Elapsed: 6 min, 3 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.PDFConverterHD, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|boepdioacnnfechdelcnhpjkelekoajf, Quarantined, [259], [744821],1.0.12853 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 6 PUP.Optional.PDFConverterHD, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boepdioacnnfechdelcnhpjkelekoajf\1.0.3_0\images\icons, Quarantined, [259], [744821],1.0.12853 PUP.Optional.PDFConverterHD, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boepdioacnnfechdelcnhpjkelekoajf\1.0.3_0\_metadata, Quarantined, [259], [744821],1.0.12853 PUP.Optional.PDFConverterHD, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boepdioacnnfechdelcnhpjkelekoajf\1.0.3_0\scripts, Quarantined, [259], [744821],1.0.12853 PUP.Optional.PDFConverterHD, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boepdioacnnfechdelcnhpjkelekoajf\1.0.3_0\images, Quarantined, [259], [744821],1.0.12853 PUP.Optional.PDFConverterHD, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boepdioacnnfechdelcnhpjkelekoajf\1.0.3_0, Quarantined, [259], [744821],1.0.12853 PUP.Optional.PDFConverterHD, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BOEPDIOACNNFECHDELCNHPJKELEKOAJF, Quarantined, [259], [744821],1.0.12853 File: 12 PUP.Optional.PDFConverterHD, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [259], [744821],1.0.12853 PUP.Optional.PDFConverterHD, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [259], [744821],1.0.12853 PUP.Optional.PDFConverterHD, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BOEPDIOACNNFECHDELCNHPJKELEKOAJF\1.0.3_0\MANIFEST.JSON, Quarantined, [259], [744821],1.0.12853 PUP.Optional.PDFConverterHD, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boepdioacnnfechdelcnhpjkelekoajf\1.0.3_0\images\icons\128x128.png, Quarantined, [259], [744821],1.0.12853 PUP.Optional.PDFConverterHD, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boepdioacnnfechdelcnhpjkelekoajf\1.0.3_0\images\icons\16x16.png, Quarantined, [259], [744821],1.0.12853 PUP.Optional.PDFConverterHD, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boepdioacnnfechdelcnhpjkelekoajf\1.0.3_0\images\icons\64x64.png, Quarantined, [259], [744821],1.0.12853 PUP.Optional.PDFConverterHD, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boepdioacnnfechdelcnhpjkelekoajf\1.0.3_0\scripts\background.js, Quarantined, [259], [744821],1.0.12853 PUP.Optional.PDFConverterHD, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boepdioacnnfechdelcnhpjkelekoajf\1.0.3_0\scripts\sitecontent.js, Quarantined, [259], [744821],1.0.12853 PUP.Optional.PDFConverterHD, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boepdioacnnfechdelcnhpjkelekoajf\1.0.3_0\_metadata\computed_hashes.json, Quarantined, [259], [744821],1.0.12853 PUP.Optional.PDFConverterHD, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boepdioacnnfechdelcnhpjkelekoajf\1.0.3_0\_metadata\verified_contents.json, Quarantined, [259], [744821],1.0.12853 PUP.Optional.PDFConverterHD, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [259], [744820],1.0.12853 PUP.Optional.PDFConverterHD, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [259], [744820],1.0.12853 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  7. What is CouponXplorer?The Malwarebytes research team has determined that CouponXplorer is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.CouponXplorer is a member of the Mindspark/Ask family now known as IAC Applications.How do I know if my computer is affected by CouponXplorer?You may see these browser extensions/add-ons:these warnings during install:You may see this entry in your list of installed software:and this new homepage in the affected browsers:How did CouponXplorer get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website.How do I remove CouponXplorer?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of CouponXplorer? No, Malwarebytes' Anti-Malware removes CouponXplorer completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the CouponXplorer hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to their domain: Technical details for expertsPossible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/couponxplorer/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid} FF HomepageOverride: Mozilla\Firefox\Profiles\{profile}.default -> Enabled: _5zMembers_@www.couponxplorer.com FF NewTabOverride: Mozilla\Firefox\Profiles\{profile}.default -> Enabled: _5zMembers_@www.couponxplorer.com FF Extension: (CouponXplorer) - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_5zMembers_@www.couponxplorer.com.xpi [2019-10-10] [UpdateUrl:hxxps:\/\/updates.tb.ask.com\/updateXpi.json?id=208153579&version=8.914.15.58963&track=TTAB02&trackRevision=1&fromId=_5zMembers_%40www.couponxplorer.com&isBridgeExtension=false] CHR NewTab: Default -> Active:"chrome-extension://dojnbkkcoflcddheladlfifebaieikap/ntp1.html" CHR Extension: (CouponXplorer) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap [2019-10-10] C:\Users\{username}\AppData\Local\CouponXplorerTooltab CouponXplorer Internet Explorer Homepage and New Tab (HKCU\...\CouponXplorerTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\CouponXplorerTooltab Adds the file TooltabExtension.dll"="3/6/2019 4:25 PM, 273008 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0 Adds the file manifest.json"="10/10/2019 8:49 AM, 2631 bytes, A Adds the file ntp1.html"="9/19/2019 11:38 AM, 1349 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\_locales Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\_metadata Adds the file computed_hashes.json"="10/10/2019 8:49 AM, 5504 bytes, A Adds the file verified_contents.json"="9/19/2019 11:38 AM, 7027 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\config Adds the file config.json"="9/19/2019 11:38 AM, 1433 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\icons Adds the file icon128.png"="10/10/2019 8:49 AM, 13717 bytes, A Adds the file icon16.png"="9/19/2019 11:38 AM, 1711 bytes, A Adds the file icon19disabled.png"="9/19/2019 11:38 AM, 1703 bytes, A Adds the file icon19on.png"="10/10/2019 8:49 AM, 860 bytes, A Adds the file icon48.png"="10/10/2019 8:49 AM, 4192 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\js Adds the file ajax.js"="9/19/2019 11:38 AM, 3263 bytes, A Adds the file babAPI.js"="9/19/2019 11:38 AM, 5703 bytes, A Adds the file babClickHandler.js"="9/19/2019 11:38 AM, 11430 bytes, A Adds the file babContentScript.js"="9/19/2019 11:38 AM, 3749 bytes, A Adds the file babContentScriptAPI.js"="9/19/2019 11:38 AM, 9842 bytes, A Adds the file background.js"="9/19/2019 11:38 AM, 18106 bytes, A Adds the file browserUtils.js"="9/19/2019 11:38 AM, 1536 bytes, A Adds the file chrome.js"="9/19/2019 11:38 AM, 146 bytes, A Adds the file contentScriptConnectionManager.js"="9/19/2019 11:38 AM, 22964 bytes, A Adds the file dateTimeUtils.js"="9/19/2019 11:38 AM, 1213 bytes, A Adds the file dlp.js"="9/19/2019 11:38 AM, 5783 bytes, A Adds the file dlpHelper.js"="9/19/2019 11:38 AM, 1835 bytes, A Adds the file extensionDetect.js"="9/19/2019 11:38 AM, 4354 bytes, A Adds the file index.js"="9/19/2019 11:38 AM, 49 bytes, A Adds the file localStorageContentScript.js"="9/19/2019 11:38 AM, 2236 bytes, A Adds the file logger.js"="9/19/2019 11:38 AM, 531 bytes, A Adds the file meta.js"="9/19/2019 11:38 AM, 1610 bytes, A Adds the file offerService.js"="9/19/2019 11:38 AM, 16953 bytes, A Adds the file pageUtils.js"="9/19/2019 11:38 AM, 2905 bytes, A Adds the file PartnerId.js"="9/19/2019 11:38 AM, 16402 bytes, A Adds the file polyfill.js"="9/19/2019 11:38 AM, 875 bytes, A Adds the file product.js"="9/19/2019 11:38 AM, 7830 bytes, A Adds the file remoteConfigLoader.js"="9/19/2019 11:38 AM, 5053 bytes, A Adds the file splashPageRedirectHandler.js"="9/19/2019 11:38 AM, 2821 bytes, A Adds the file storageUtils.js"="9/19/2019 11:38 AM, 1718 bytes, A Adds the file TemplateParser.js"="9/19/2019 11:38 AM, 3153 bytes, A Adds the file ul.js"="9/19/2019 11:38 AM, 3969 bytes, A Adds the file urlFragmentActions.js"="9/19/2019 11:38 AM, 2453 bytes, A Adds the file urlUtils.js"="9/19/2019 11:38 AM, 5906 bytes, A Adds the file util.js"="9/19/2019 11:38 AM, 2779 bytes, A Adds the file webtooltabAPI.js"="9/19/2019 11:38 AM, 9768 bytes, A Adds the file webTooltabAPIProxy.js"="9/19/2019 11:38 AM, 8765 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dojnbkkcoflcddheladlfifebaieikap Adds the file 000003.log"="10/10/2019 8:49 AM, 4628 bytes, A Adds the file CURRENT"="10/10/2019 8:49 AM, 16 bytes, A Adds the file LOCK"="10/10/2019 8:49 AM, 0 bytes, A Adds the file LOG"="10/10/2019 8:49 AM, 185 bytes, A Adds the file MANIFEST-000001"="10/10/2019 8:49 AM, 41 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _5zMembers_@www.couponxplorer.com.xpi"="10/10/2019 8:47 AM, 92649 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\CouponXplorer] "Start Page"="REG_SZ", "http://hp.myway.com/couponxplorer/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "https://@{downloadDomain}.dl.myway.com/uninstall.jhtml?c={ptb}&ptb={p2}" [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "dojnbkkcoflcddheladlfifebaieikap"="REG_SZ", "544A392FEF14652C90DF68F1DFC1DA195A97A699C4C389FBB6D03511152181EE" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://hp.myway.com/couponxplorer/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\CouponXplorerTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "CouponXplorer Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\CouponXplorerTooltab\TooltabExtension.dll" U uninstall:CouponXplorer" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/10/19 Scan Time: 9:00 AM Log File: b273a816-eb2b-11e9-b853-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.12837 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 234352 Threats Detected: 86 Threats Quarantined: 86 Time Elapsed: 8 min, 15 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\CouponXplorerTooltab\TooltabExtension.dll, Quarantined, [1782], [356944],1.0.12837 Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CouponXplorerTooltab Uninstall Internet Explorer, Quarantined, [1782], [356944],1.0.12837 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\CouponXplorer, Quarantined, [1782], [444113],1.0.12837 Registry Value: 3 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CouponXplorerTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, [655], [352442],1.0.12837 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\CouponXplorer|START PAGE, Quarantined, [1782], [444113],1.0.12837 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|dojnbkkcoflcddheladlfifebaieikap, Quarantined, [1782], [443121],1.0.12837 Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [655], [293497],1.0.12837 Data Stream: 0 (No malicious items detected) Folder: 18 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\CouponXplorerTooltab, Quarantined, [1782], [356944],1.0.12837 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\dojnbkkcoflcddheladlfifebaieikap, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\_locales\es_419, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\_locales\pt_BR, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\_locales\pt_PT, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\_locales\de, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\_locales\en, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\_locales\es, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\_locales\fr, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\_locales\it, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\_locales\ja, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\_metadata, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\_locales, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\config, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\icons, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\js, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DOJNBKKCOFLCDDHELADLFIFEBAIEIKAP, Quarantined, [1782], [443121],1.0.12837 File: 61 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\CouponXplorerTooltab\TooltabExtension.dll, Quarantined, [1782], [356944],1.0.12837 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\_5zMembers_@www.couponxplorer.com.xpi, Quarantined, [1782], [457930],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dojnbkkcoflcddheladlfifebaieikap\000003.log, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dojnbkkcoflcddheladlfifebaieikap\CURRENT, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dojnbkkcoflcddheladlfifebaieikap\LOCK, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dojnbkkcoflcddheladlfifebaieikap\LOG, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dojnbkkcoflcddheladlfifebaieikap\MANIFEST-000001, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DOJNBKKCOFLCDDHELADLFIFEBAIEIKAP\13.909.16.23352_0\MANIFEST.JSON, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\config\config.json, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\icons\icon128.png, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\icons\icon16.png, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\icons\icon19disabled.png, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\icons\icon19on.png, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\icons\icon48.png, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\js\localStorageContentScript.js, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\js\ajax.js, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\js\babAPI.js, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\js\babClickHandler.js, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\js\babContentScript.js, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\js\babContentScriptAPI.js, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\js\background.js, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\js\browserUtils.js, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\js\chrome.js, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\js\contentScriptConnectionManager.js, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\js\dateTimeUtils.js, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\js\dlp.js, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\js\dlpHelper.js, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\js\extensionDetect.js, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\js\index.js, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\js\logger.js, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\js\meta.js, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\js\offerService.js, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\js\pageUtils.js, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\js\PartnerId.js, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\js\polyfill.js, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\js\product.js, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\js\remoteConfigLoader.js, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\js\splashPageRedirectHandler.js, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\js\storageUtils.js, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\js\TemplateParser.js, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\js\ul.js, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\js\urlFragmentActions.js, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\js\urlUtils.js, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\js\util.js, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\js\webtooltabAPI.js, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\js\webTooltabAPIProxy.js, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\_locales\de\messages.json, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\_locales\en\messages.json, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\_locales\es\messages.json, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\_locales\es_419\messages.json, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\_locales\fr\messages.json, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\_locales\it\messages.json, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\_locales\ja\messages.json, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\_locales\pt_BR\messages.json, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\_locales\pt_PT\messages.json, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\_metadata\computed_hashes.json, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\_metadata\verified_contents.json, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dojnbkkcoflcddheladlfifebaieikap\13.909.16.23352_0\ntp1.html, Quarantined, [1782], [443121],1.0.12837 PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\COUPONXPLORER.EXE, Quarantined, [655], [365288],1.0.12837 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  8. What is Newsurf?The Malwarebytes research team has determined that Newsurf is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Newsurf?You may see this entry in your list of installed Chrome extensions:and these warnings during install:Users may notice the searches from major search providers are being hijacked.How did Newsurf get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Newsurf?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Newsurf? No, Malwarebytes removes Newsurf completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below both Malwarebytes Browser Guard, as the premium version of Malwarebytes would have protected you against the Newsurf hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR Extension: (Newsurf) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kiaeafppaecembblpafchmcmajphkjml [2019-10-09] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kiaeafppaecembblpafchmcmajphkjml\3.3.6_0 Adds the file background.js"="10/8/2019 12:05 PM, 6160 bytes, A Adds the file manifest.json"="10/9/2019 8:37 AM, 1725 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kiaeafppaecembblpafchmcmajphkjml\3.3.6_0\_metadata Adds the file computed_hashes.json"="10/9/2019 8:37 AM, 404 bytes, A Adds the file verified_contents.json"="10/8/2019 12:04 PM, 1648 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kiaeafppaecembblpafchmcmajphkjml\3.3.6_0\icons Adds the file icon128.png"="10/9/2019 8:37 AM, 2188 bytes, A Adds the file icon48.png"="10/9/2019 8:37 AM, 253 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kiaeafppaecembblpafchmcmajphkjml Adds the file 000003.log"="10/9/2019 8:38 AM, 116 bytes, A Adds the file CURRENT"="10/9/2019 8:37 AM, 16 bytes, A Adds the file LOCK"="10/9/2019 8:37 AM, 0 bytes, A Adds the file LOG"="10/9/2019 8:37 AM, 184 bytes, A Adds the file MANIFEST-000001"="10/9/2019 8:37 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "kiaeafppaecembblpafchmcmajphkjml"="REG_SZ", "51D00394C7C4163D41C8C9AEC3B4E5C8DA2CEB0132241AEB5CBBA7CB4F55F74B" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/9/19 Scan Time: 8:51 AM Log File: 442b6eae-ea61-11e9-9ed7-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.12821 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 234314 Threats Detected: 19 Threats Quarantined: 19 Time Elapsed: 6 min, 44 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.Notics, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|kiaeafppaecembblpafchmcmajphkjml, Quarantined, [14738], [740507],1.0.12821 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 5 PUP.Optional.Notics, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\kiaeafppaecembblpafchmcmajphkjml, Quarantined, [14738], [740507],1.0.12821 PUP.Optional.Notics, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kiaeafppaecembblpafchmcmajphkjml\3.3.6_0\_metadata, Quarantined, [14738], [740507],1.0.12821 PUP.Optional.Notics, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kiaeafppaecembblpafchmcmajphkjml\3.3.6_0\icons, Quarantined, [14738], [740507],1.0.12821 PUP.Optional.Notics, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kiaeafppaecembblpafchmcmajphkjml\3.3.6_0, Quarantined, [14738], [740507],1.0.12821 PUP.Optional.Notics, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KIAEAFPPAECEMBBLPAFCHMCMAJPHKJML, Quarantined, [14738], [740507],1.0.12821 File: 13 PUP.Optional.Notics, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kiaeafppaecembblpafchmcmajphkjml\000003.log, Quarantined, [14738], [740507],1.0.12821 PUP.Optional.Notics, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kiaeafppaecembblpafchmcmajphkjml\CURRENT, Quarantined, [14738], [740507],1.0.12821 PUP.Optional.Notics, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kiaeafppaecembblpafchmcmajphkjml\LOCK, Quarantined, [14738], [740507],1.0.12821 PUP.Optional.Notics, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kiaeafppaecembblpafchmcmajphkjml\LOG, Quarantined, [14738], [740507],1.0.12821 PUP.Optional.Notics, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kiaeafppaecembblpafchmcmajphkjml\MANIFEST-000001, Quarantined, [14738], [740507],1.0.12821 PUP.Optional.Notics, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [14738], [740507],1.0.12821 PUP.Optional.Notics, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [14738], [740507],1.0.12821 PUP.Optional.Notics, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KIAEAFPPAECEMBBLPAFCHMCMAJPHKJML\3.3.6_0\BACKGROUND.JS, Quarantined, [14738], [740507],1.0.12821 PUP.Optional.Notics, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kiaeafppaecembblpafchmcmajphkjml\3.3.6_0\icons\icon128.png, Quarantined, [14738], [740507],1.0.12821 PUP.Optional.Notics, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kiaeafppaecembblpafchmcmajphkjml\3.3.6_0\icons\icon48.png, Quarantined, [14738], [740507],1.0.12821 PUP.Optional.Notics, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kiaeafppaecembblpafchmcmajphkjml\3.3.6_0\_metadata\computed_hashes.json, Quarantined, [14738], [740507],1.0.12821 PUP.Optional.Notics, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kiaeafppaecembblpafchmcmajphkjml\3.3.6_0\_metadata\verified_contents.json, Quarantined, [14738], [740507],1.0.12821 PUP.Optional.Notics, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kiaeafppaecembblpafchmcmajphkjml\3.3.6_0\manifest.json, Quarantined, [14738], [740507],1.0.12821 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  9. What is System Cleanup?The Malwarebytes research team has determined that System Cleanup is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with System Cleanup?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see these warnings during install:and this screen during "operations":You may see this entry in your list of installed programs:How did System Cleanup get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove System Cleanup?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of System Cleanup? No, Malwarebytes removes System Cleanup completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the System Cleanup installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: () [File not signed] C:\Program Files (x86)\Makefast\System Cleanup\PC Wiper.exe () [File not signed] C:\Users\{username}\AppData\Local\Temp\is-7C82I.tmp\makefast-system-cleanup.tmp (Circuit Software LLC -> Circuit Software LLC ) [File not signed] C:\Users\{username}\Desktop\makefast-system-cleanup.exe C:\Users\Public\Desktop\System Cleanup.lnk C:\ProgramData\Desktop\System Cleanup.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Cleanup C:\Program Files (x86)\Makefast System Cleanup version v1.2.00 (HKLM-x32\...\{21AB2F09-1C61-4A31-AECA-3ADE74BBEE59}_is1) (Version: v1.2.00 - Circuit Software LLC) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\Makefast\System Cleanup Adds the file bactch.cmd"="10/21/2014 3:01 AM, 0 bytes, A Adds the file icon.ico"="1/6/2015 4:55 AM, 32038 bytes, A Adds the file OSVersionInfo.dll"="9/18/2014 10:23 PM, 19968 bytes, A Adds the file PC Wiper.exe"="8/9/2018 1:55 PM, 3773952 bytes, A Adds the file PC Wiper.exe.config"="10/17/2014 7:25 PM, 926 bytes, A Adds the file PC Wiper.pdb"="8/9/2018 1:55 PM, 302592 bytes, A Adds the file PC Wiper.vshost.exe"="8/9/2018 1:52 PM, 22984 bytes, A Adds the file PC Wiper.vshost.exe.config"="10/17/2014 7:25 PM, 926 bytes, A Adds the file unins000.dat"="10/8/2019 10:55 AM, 5875 bytes, A Adds the file unins000.exe"="10/8/2019 10:55 AM, 758437 bytes, A Adds the folder C:\Program Files (x86)\Makefast\System Cleanup\Sys_auth\Authentication Adds the file Activation.xml"="1/6/2015 4:58 AM, 194 bytes, A Adds the file Sys_Auth.txt"="4/19/2014 6:57 AM, 13 bytes, A Adds the file sys_error_nbr.txt"="10/8/2019 10:57 AM, 5 bytes, A Adds the file sys_error_size.txt"="10/8/2019 10:57 AM, 6 bytes, A Adds the file sys_manage.txt"="1/6/2015 4:59 AM, 0 bytes, A Adds the file sys_read.txt"="10/8/2019 10:56 AM, 21 bytes, A Adds the folder C:\Program Files (x86)\Makefast\System Cleanup\System Cleanup\Waves Adds the file Cleaned.wav"="4/14/2014 8:43 PM, 106064 bytes, A Adds the file Cleaning.wav"="4/12/2014 7:19 PM, 108368 bytes, A Adds the file done.wav"="4/9/2014 5:29 AM, 73808 bytes, A Adds the file Issues.wav"="4/23/2014 3:14 AM, 364112 bytes, A Adds the file scandone.png"="4/12/2014 10:08 PM, 39016 bytes, A Adds the file scanning.wav"="4/9/2014 5:29 AM, 115280 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Cleanup Adds the file System Cleanup on the Web.url"="10/8/2019 10:55 AM, 124 bytes, A Adds the file System Cleanup.lnk"="10/8/2019 10:55 AM, 1304 bytes, A Adds the file Uninstall System Cleanup.lnk"="10/8/2019 10:55 AM, 1304 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file System Cleanup.lnk"="10/8/2019 10:55 AM, 1286 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{21AB2F09-1C61-4A31-AECA-3ADE74BBEE59}_is1] "Comments"="REG_SZ", "System Cleanup" "Contact"="REG_SZ", "(833) 209-5478" "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\Makefast\System Cleanup\icon.ico" "DisplayName"="REG_SZ", "System Cleanup version v1.2.00" "DisplayVersion"="REG_SZ", "v1.2.00" "EstimatedSize"="REG_DWORD", 9259 "HelpLink"="REG_SZ", "http://makefast.us/" "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\Makefast\System Cleanup" "Inno Setup: Deselected Tasks"="REG_SZ", "" "Inno Setup: Icon Group"="REG_SZ", "System Cleanup" "Inno Setup: Language"="REG_SZ", "english" "Inno Setup: Selected Tasks"="REG_SZ", "desktopicon" "Inno Setup: Setup Version"="REG_SZ", "5.6.1 (a)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20191008" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\Makefast\System Cleanup\" "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Circuit Software LLC" "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\Makefast\System Cleanup\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\Makefast\System Cleanup\unins000.exe"" "URLInfoAbout"="REG_SZ", "http://makefast.us/" "URLUpdateInfo"="REG_SZ", "http://makefast.us/" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/8/19 Scan Time: 11:06 AM Log File: dc9576ce-e9aa-11e9-b2b4-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.12807 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 234476 Threats Detected: 35 Threats Quarantined: 35 Time Elapsed: 9 min, 38 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.MakeFast, C:\Program Files (x86)\Makefast\System Cleanup\PC Wiper.exe, Quarantined, [3151], [742787],1.0.12807 Module: 1 PUP.Optional.MakeFast, C:\Program Files (x86)\Makefast\System Cleanup\PC Wiper.exe, Quarantined, [3151], [742787],1.0.12807 Registry Key: 1 PUP.Optional.MakeFast, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{21AB2F09-1C61-4A31-AECA-3ADE74BBEE59}_is1, Quarantined, [3151], [742787],1.0.12807 Registry Value: 1 PUP.Optional.MakeFast, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{21AB2F09-1C61-4A31-AECA-3ADE74BBEE59}_IS1|DISPLAYNAME, Quarantined, [3151], [742788],1.0.12807 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 5 PUP.Optional.MakeFast, C:\Program Files (x86)\Makefast\System Cleanup\Sys_auth\Authentication, Quarantined, [3151], [742787],1.0.12807 PUP.Optional.MakeFast, C:\Program Files (x86)\Makefast\System Cleanup\System Cleanup\Waves, Quarantined, [3151], [742787],1.0.12807 PUP.Optional.MakeFast, C:\Program Files (x86)\Makefast\System Cleanup\System Cleanup, Quarantined, [3151], [742787],1.0.12807 PUP.Optional.MakeFast, C:\Program Files (x86)\Makefast\System Cleanup\Sys_auth, Quarantined, [3151], [742787],1.0.12807 PUP.Optional.MakeFast, C:\PROGRAM FILES (X86)\MAKEFAST\SYSTEM CLEANUP, Quarantined, [3151], [742787],1.0.12807 File: 25 PUP.Optional.Epicsofts, C:\USERS\PUBLIC\DESKTOP\SYSTEM CLEANUP.LNK, Quarantined, [4554], [350911],1.0.12807 PUP.Optional.MakeFast, C:\Program Files (x86)\Makefast\System Cleanup\System Cleanup\Waves\Cleaned.wav, Quarantined, [3151], [742787],1.0.12807 PUP.Optional.MakeFast, C:\Program Files (x86)\Makefast\System Cleanup\System Cleanup\Waves\Cleaning.wav, Quarantined, [3151], [742787],1.0.12807 PUP.Optional.MakeFast, C:\Program Files (x86)\Makefast\System Cleanup\System Cleanup\Waves\done.wav, Quarantined, [3151], [742787],1.0.12807 PUP.Optional.MakeFast, C:\Program Files (x86)\Makefast\System Cleanup\System Cleanup\Waves\Issues.wav, Quarantined, [3151], [742787],1.0.12807 PUP.Optional.MakeFast, C:\Program Files (x86)\Makefast\System Cleanup\System Cleanup\Waves\scandone.png, Quarantined, [3151], [742787],1.0.12807 PUP.Optional.MakeFast, C:\Program Files (x86)\Makefast\System Cleanup\System Cleanup\Waves\scanning.wav, Quarantined, [3151], [742787],1.0.12807 PUP.Optional.MakeFast, C:\Program Files (x86)\Makefast\System Cleanup\Sys_auth\Authentication\Activation.xml, Quarantined, [3151], [742787],1.0.12807 PUP.Optional.MakeFast, C:\Program Files (x86)\Makefast\System Cleanup\Sys_auth\Authentication\Sys_Auth.txt, Quarantined, [3151], [742787],1.0.12807 PUP.Optional.MakeFast, C:\Program Files (x86)\Makefast\System Cleanup\Sys_auth\Authentication\sys_error_nbr.txt, Quarantined, [3151], [742787],1.0.12807 PUP.Optional.MakeFast, C:\Program Files (x86)\Makefast\System Cleanup\Sys_auth\Authentication\sys_error_size.txt, Quarantined, [3151], [742787],1.0.12807 PUP.Optional.MakeFast, C:\Program Files (x86)\Makefast\System Cleanup\Sys_auth\Authentication\sys_manage.txt, Quarantined, [3151], [742787],1.0.12807 PUP.Optional.MakeFast, C:\Program Files (x86)\Makefast\System Cleanup\Sys_auth\Authentication\sys_read.txt, Quarantined, [3151], [742787],1.0.12807 PUP.Optional.MakeFast, C:\Program Files (x86)\Makefast\System Cleanup\bactch.cmd, Quarantined, [3151], [742787],1.0.12807 PUP.Optional.MakeFast, C:\Program Files (x86)\Makefast\System Cleanup\icon.ico, Quarantined, [3151], [742787],1.0.12807 PUP.Optional.MakeFast, C:\Program Files (x86)\Makefast\System Cleanup\OSVersionInfo.dll, Quarantined, [3151], [742787],1.0.12807 PUP.Optional.MakeFast, C:\Program Files (x86)\Makefast\System Cleanup\PC Wiper.exe, Quarantined, [3151], [742787],1.0.12807 PUP.Optional.MakeFast, C:\Program Files (x86)\Makefast\System Cleanup\PC Wiper.exe.config, Quarantined, [3151], [742787],1.0.12807 PUP.Optional.MakeFast, C:\Program Files (x86)\Makefast\System Cleanup\PC Wiper.pdb, Quarantined, [3151], [742787],1.0.12807 PUP.Optional.MakeFast, C:\Program Files (x86)\Makefast\System Cleanup\PC Wiper.vshost.exe, Quarantined, [3151], [742787],1.0.12807 PUP.Optional.MakeFast, C:\Program Files (x86)\Makefast\System Cleanup\PC Wiper.vshost.exe.config, Quarantined, [3151], [742787],1.0.12807 PUP.Optional.MakeFast, C:\Program Files (x86)\Makefast\System Cleanup\unins000.dat, Quarantined, [3151], [742787],1.0.12807 PUP.Optional.MakeFast, C:\Program Files (x86)\Makefast\System Cleanup\unins000.exe, Quarantined, [3151], [742787],1.0.12807 PUP.Optional.MakeFast, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\System Cleanup.lnk, Quarantined, [3151], [742787],1.0.12807 PUP.Optional.MakeFast, C:\USERS\{username}\DESKTOP\MAKEFAST-SYSTEM-CLEANUP.EXE, Quarantined, [3151], [742785],1.0.12807 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  10. What is Power App?The Malwarebytes research team has determined that Power App is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Power App?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this changed setting:How did Power App get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Power App?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Power App? No, Malwarebytes removes Power App completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, as well as the full version of Malwarebytes would have protected you against the Power App hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://searchpowerapp.com/results.php?p=9100&v=400&q={searchTerms}&source=default CHR DefaultSearchKeyword: Default -> spa CHR DefaultSuggestURL: Default -> hxxps://searchpowerapp.com/gjson.php?q={searchTerms} CHR Extension: (Secure) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\japlganomapehbihoeabpnphbfpchddo [2019-10-04] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\japlganomapehbihoeabpnphbfpchddo\5.2_0 Adds the file background.js"="9/26/2019 12:55 PM, 8456 bytes, A Adds the file manifest.json"="10/4/2019 9:14 AM, 1628 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\japlganomapehbihoeabpnphbfpchddo\5.2_0\_metadata Adds the file computed_hashes.json"="10/4/2019 9:14 AM, 451 bytes, A Adds the file verified_contents.json"="9/26/2019 4:26 PM, 1645 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\japlganomapehbihoeabpnphbfpchddo\5.2_0\icons Adds the file icon128.png"="10/4/2019 9:14 AM, 2188 bytes, A Adds the file icon48.png"="10/4/2019 9:14 AM, 253 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\japlganomapehbihoeabpnphbfpchddo Adds the file 000003.log"="10/4/2019 9:21 AM, 205 bytes, A Adds the file CURRENT"="10/4/2019 9:14 AM, 16 bytes, A Adds the file LOCK"="10/4/2019 9:14 AM, 0 bytes, A Adds the file LOG"="10/4/2019 9:21 AM, 407 bytes, A Adds the file LOG.old"="10/4/2019 9:15 AM, 183 bytes, A Adds the file MANIFEST-000001"="10/4/2019 9:14 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_japlganomapehbihoeabpnphbfpchddo Adds the file Power App.ico"="10/4/2019 9:14 AM, 162813 bytes, A Adds the file Power App.ico.md5"="10/4/2019 9:15 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "japlganomapehbihoeabpnphbfpchddo"="REG_SZ", "9866D35A9964A3908366399C7E8059464667DF043E0A67847A5068C758952AB8" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/4/19 Scan Time: 9:28 AM Log File: 81eb4739-e678-11e9-804d-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.12761 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 234767 Threats Detected: 20 Threats Quarantined: 20 Time Elapsed: 6 min, 37 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|japlganomapehbihoeabpnphbfpchddo, Quarantined, [376], [460702],1.0.12761 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 5 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\japlganomapehbihoeabpnphbfpchddo, Quarantined, [376], [460702],1.0.12761 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\japlganomapehbihoeabpnphbfpchddo\5.2_0\_metadata, Quarantined, [376], [460702],1.0.12761 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\japlganomapehbihoeabpnphbfpchddo\5.2_0\icons, Quarantined, [376], [460702],1.0.12761 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\japlganomapehbihoeabpnphbfpchddo\5.2_0, Quarantined, [376], [460702],1.0.12761 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JAPLGANOMAPEHBIHOEABPNPHBFPCHDDO, Quarantined, [376], [460702],1.0.12761 File: 14 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\japlganomapehbihoeabpnphbfpchddo\000003.log, Quarantined, [376], [460702],1.0.12761 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\japlganomapehbihoeabpnphbfpchddo\CURRENT, Quarantined, [376], [460702],1.0.12761 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\japlganomapehbihoeabpnphbfpchddo\LOCK, Quarantined, [376], [460702],1.0.12761 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\japlganomapehbihoeabpnphbfpchddo\LOG, Quarantined, [376], [460702],1.0.12761 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\japlganomapehbihoeabpnphbfpchddo\LOG.old, Quarantined, [376], [460702],1.0.12761 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\japlganomapehbihoeabpnphbfpchddo\MANIFEST-000001, Quarantined, [376], [460702],1.0.12761 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [376], [460702],1.0.12761 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [376], [460702],1.0.12761 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JAPLGANOMAPEHBIHOEABPNPHBFPCHDDO\5.2_0\MANIFEST.JSON, Quarantined, [376], [460702],1.0.12761 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\japlganomapehbihoeabpnphbfpchddo\5.2_0\icons\icon128.png, Quarantined, [376], [460702],1.0.12761 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\japlganomapehbihoeabpnphbfpchddo\5.2_0\icons\icon48.png, Quarantined, [376], [460702],1.0.12761 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\japlganomapehbihoeabpnphbfpchddo\5.2_0\_metadata\computed_hashes.json, Quarantined, [376], [460702],1.0.12761 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\japlganomapehbihoeabpnphbfpchddo\5.2_0\_metadata\verified_contents.json, Quarantined, [376], [460702],1.0.12761 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\japlganomapehbihoeabpnphbfpchddo\5.2_0\background.js, Quarantined, [376], [460702],1.0.12761 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  11. What is QuickPDFMerger?The Malwarebytes research team has determined that QuickPDFMerger is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.QuickPDFMerger is a member of the Mindspark/Ask family now known as IAC Applications.How do I know if my computer is affected by QuickPDFMerger?You may see these browser extensions/add-ons:these warnings during install:You may see this entry in your list of installed software:and this new homepage in the affected browsers:How did QuickPDFMerger get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website.How do I remove QuickPDFMerger?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of QuickPDFMerger? No, Malwarebytes' Anti-Malware removes QuickPDFMerger completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the QuickPDFMerger hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and both Malwarebytes Premium and Malwarebytes Browser Guard block traffic to some of their domains: Technical details for expertsPossible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/quickpdfmerger/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid} FF HomepageOverride: Mozilla\Firefox\Profiles\{profile}.default -> Enabled: _koMembers_@www.quickpdfmerger.com FF NewTabOverride: Mozilla\Firefox\Profiles\{profile}.default -> Enabled: _koMembers_@www.quickpdfmerger.com FF Extension: (QuickPDFMerger) - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_koMembers_@www.quickpdfmerger.com.xpi [2019-10-03] [UpdateUrl:hxxps:\/\/updates.tb.ask.com\/updateXpi.json?id=234782342&version=8.914.16.18334&track=TTAB02&trackRevision=1&fromId=_koMembers_%40www.quickpdfmerger.com&isBridgeExtension=false] CHR NewTab: Default -> Active:"chrome-extension://ngamdaobhhgfhjakfmgggafaochpccmc/ntp1.html" CHR Extension: (QuickPDFMerger) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc [2019-10-03] C:\Users\{username}\AppData\Local\QuickPDFMergerTooltab QuickPDFMerger Internet Explorer Homepage and New Tab (HKCU\...\QuickPDFMergerTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0 Adds the file manifest.json"="10/3/2019 9:16 AM, 2636 bytes, A Adds the file ntp1.html"="9/19/2019 7:09 PM, 1349 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\_locales Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\_metadata Adds the file computed_hashes.json"="10/3/2019 9:16 AM, 5504 bytes, A Adds the file verified_contents.json"="9/19/2019 7:09 PM, 7407 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\config Adds the file config.json"="9/19/2019 7:09 PM, 1515 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\icons Adds the file icon128.png"="10/3/2019 9:16 AM, 3739 bytes, A Adds the file icon16.png"="9/19/2019 7:09 PM, 857 bytes, A Adds the file icon19disabled.png"="9/19/2019 7:09 PM, 837 bytes, A Adds the file icon19on.png"="10/3/2019 9:16 AM, 592 bytes, A Adds the file icon48.png"="10/3/2019 9:16 AM, 1641 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\js Adds the file ajax.js"="9/19/2019 7:09 PM, 3263 bytes, A Adds the file babAPI.js"="9/19/2019 7:09 PM, 5703 bytes, A Adds the file babClickHandler.js"="9/19/2019 7:09 PM, 11430 bytes, A Adds the file babContentScript.js"="9/19/2019 7:09 PM, 3749 bytes, A Adds the file babContentScriptAPI.js"="9/19/2019 7:09 PM, 9842 bytes, A Adds the file background.js"="9/19/2019 7:09 PM, 18106 bytes, A Adds the file browserUtils.js"="9/19/2019 7:09 PM, 1536 bytes, A Adds the file chrome.js"="9/19/2019 7:09 PM, 146 bytes, A Adds the file contentScriptConnectionManager.js"="9/19/2019 7:09 PM, 22964 bytes, A Adds the file dateTimeUtils.js"="9/19/2019 7:09 PM, 1213 bytes, A Adds the file dlp.js"="9/19/2019 7:09 PM, 5783 bytes, A Adds the file dlpHelper.js"="9/19/2019 7:09 PM, 1835 bytes, A Adds the file extensionDetect.js"="9/19/2019 7:09 PM, 4354 bytes, A Adds the file index.js"="9/19/2019 7:09 PM, 49 bytes, A Adds the file localStorageContentScript.js"="9/19/2019 7:09 PM, 2236 bytes, A Adds the file logger.js"="9/19/2019 7:09 PM, 531 bytes, A Adds the file meta.js"="9/19/2019 7:09 PM, 1610 bytes, A Adds the file offerService.js"="9/19/2019 7:09 PM, 16953 bytes, A Adds the file pageUtils.js"="9/19/2019 7:09 PM, 2905 bytes, A Adds the file PartnerId.js"="9/19/2019 7:09 PM, 16402 bytes, A Adds the file polyfill.js"="9/19/2019 7:09 PM, 875 bytes, A Adds the file product.js"="9/19/2019 7:09 PM, 7830 bytes, A Adds the file remoteConfigLoader.js"="9/19/2019 7:09 PM, 5053 bytes, A Adds the file splashPageRedirectHandler.js"="9/19/2019 7:09 PM, 2821 bytes, A Adds the file storageUtils.js"="9/19/2019 7:09 PM, 1718 bytes, A Adds the file TemplateParser.js"="9/19/2019 7:09 PM, 3153 bytes, A Adds the file ul.js"="9/19/2019 7:09 PM, 3969 bytes, A Adds the file urlFragmentActions.js"="9/19/2019 7:09 PM, 2453 bytes, A Adds the file urlUtils.js"="9/19/2019 7:09 PM, 5906 bytes, A Adds the file util.js"="9/19/2019 7:09 PM, 2779 bytes, A Adds the file webtooltabAPI.js"="9/19/2019 7:09 PM, 9768 bytes, A Adds the file webTooltabAPIProxy.js"="9/19/2019 7:09 PM, 8765 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ngamdaobhhgfhjakfmgggafaochpccmc Adds the file 000003.log"="10/3/2019 9:16 AM, 4306 bytes, A Adds the file CURRENT"="10/3/2019 9:16 AM, 16 bytes, A Adds the file LOCK"="10/3/2019 9:16 AM, 0 bytes, A Adds the file LOG"="10/3/2019 9:16 AM, 185 bytes, A Adds the file MANIFEST-000001"="10/3/2019 9:16 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\QuickPDFMergerTooltab Adds the file TooltabExtension.dll"="8/30/2019 8:40 PM, 266864 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _koMembers_@www.quickpdfmerger.com.xpi"="10/3/2019 9:13 AM, 77484 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ngamdaobhhgfhjakfmgggafaochpccmc"="REG_SZ", "BC44404CB348ADA80391A22578395C59491F0670D0D53F66E2F4812AC277BAF5" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://hp.myway.com/quickpdfmerger/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\QuickPDFMergerTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "QuickPDFMerger Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\QuickPDFMergerTooltab\TooltabExtension.dll" U uninstall:QuickPDFMerger" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" [HKEY_CURRENT_USER\Software\QuickPDFMerger] "Start Page"="REG_SZ", "http://hp.myway.com/quickpdfmerger/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "https://@{downloadDomain}.dl.myway.com/uninstall.jhtml?surveyUrl=https%3A%2F%2Fhp.myway.com%2Fuo%2Fo1%2Findex.html%3Fc%3D{ptb}%26ptb%3D{p2}" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/3/19 Scan Time: 9:27 AM Log File: 3e159906-e5af-11e9-85ce-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.12749 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 234774 Threats Detected: 93 Threats Quarantined: 93 Time Elapsed: 9 min, 55 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\QuickPDFMergerTooltab\TooltabExtension.dll, Quarantined, [1782], [356944],1.0.12749 Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\QuickPDFMergerTooltab Uninstall Internet Explorer, Quarantined, [1782], [356944],1.0.12749 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\QuickPDFMerger, Quarantined, [1782], [444113],1.0.12749 Registry Value: 3 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\QuickPDFMergerTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, [653], [352442],1.0.12749 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\QuickPDFMerger|START PAGE, Quarantined, [1782], [444113],1.0.12749 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ngamdaobhhgfhjakfmgggafaochpccmc, Quarantined, [1782], [443121],1.0.12749 Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [653], [293497],1.0.12749 Data Stream: 0 (No malicious items detected) Folder: 21 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\QuickPDFMergerTooltab, Quarantined, [1782], [356944],1.0.12749 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\ngamdaobhhgfhjakfmgggafaochpccmc, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\_locales\es_419, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\_locales\pt_BR, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\_locales\pt_PT, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\_locales\ar, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\_locales\de, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\_locales\en, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\_locales\es, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\_locales\fr, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\_locales\it, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\_locales\ja, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\_locales\ko, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\_locales\nl, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\_metadata, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\_locales, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\config, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\icons, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\js, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\NGAMDAOBHHGFHJAKFMGGGAFAOCHPCCMC, Quarantined, [1782], [443121],1.0.12749 File: 65 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\QuickPDFMergerTooltab\TooltabExtension.dll, Quarantined, [1782], [356944],1.0.12749 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\_koMembers_@www.quickpdfmerger.com.xpi, Quarantined, [1782], [457930],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ngamdaobhhgfhjakfmgggafaochpccmc\000003.log, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ngamdaobhhgfhjakfmgggafaochpccmc\CURRENT, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ngamdaobhhgfhjakfmgggafaochpccmc\LOCK, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ngamdaobhhgfhjakfmgggafaochpccmc\LOG, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ngamdaobhhgfhjakfmgggafaochpccmc\MANIFEST-000001, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\NGAMDAOBHHGFHJAKFMGGGAFAOCHPCCMC\13.909.16.25464_0\MANIFEST.JSON, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\config\config.json, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\icons\icon128.png, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\icons\icon16.png, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\icons\icon19disabled.png, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\icons\icon19on.png, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\icons\icon48.png, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\js\localStorageContentScript.js, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\js\ajax.js, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\js\babAPI.js, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\js\babClickHandler.js, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\js\babContentScript.js, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\js\babContentScriptAPI.js, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\js\background.js, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\js\browserUtils.js, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\js\chrome.js, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\js\contentScriptConnectionManager.js, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\js\dateTimeUtils.js, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\js\dlp.js, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\js\dlpHelper.js, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\js\extensionDetect.js, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\js\index.js, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\js\logger.js, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\js\meta.js, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\js\offerService.js, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\js\pageUtils.js, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\js\PartnerId.js, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\js\polyfill.js, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\js\product.js, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\js\remoteConfigLoader.js, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\js\splashPageRedirectHandler.js, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\js\storageUtils.js, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\js\TemplateParser.js, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\js\ul.js, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\js\urlFragmentActions.js, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\js\urlUtils.js, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\js\util.js, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\js\webtooltabAPI.js, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\js\webTooltabAPIProxy.js, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\_locales\ar\messages.json, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\_locales\de\messages.json, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\_locales\en\messages.json, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\_locales\es\messages.json, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\_locales\es_419\messages.json, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\_locales\fr\messages.json, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\_locales\it\messages.json, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\_locales\ja\messages.json, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\_locales\ko\messages.json, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\_locales\nl\messages.json, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\_locales\pt_BR\messages.json, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\_locales\pt_PT\messages.json, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\_metadata\computed_hashes.json, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\_metadata\verified_contents.json, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngamdaobhhgfhjakfmgggafaochpccmc\13.909.16.25464_0\ntp1.html, Quarantined, [1782], [443121],1.0.12749 PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\QUICKPDFMERGER.EXE, Quarantined, [653], [365288],1.0.12749 PUP.Optional.MindSpark, C:\USERS\{username}\DOWNLOADS\QUICKPDFMERGER.4BD97D4C21924762997C6D91167653DA.EXE, Quarantined, [653], [365288],1.0.12749 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  12. What is Mega Music Search?The Malwarebytes research team has determined that Mega Music Search is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Mega Music Search?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and this changed setting:How did Mega Music Search get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Mega Music Search?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Mega Music Search? No, Malwarebytes removes Mega Music Search completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the Mega Music Search hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxp://music.globalappz.live/search/?category=web&s=c8ds&vert=music&q={searchTerms} CHR DefaultSearchKeyword: Default -> Mega Music Search CHR DefaultSuggestURL: Default -> hxxp://sug.globalappz.live/search/index_sg.php?q={searchTerms} CHR Extension: (Mega Music Search) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgofjiialcpbongknpjkllipmecbkcic [2019-10-02] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgofjiialcpbongknpjkllipmecbkcic\1.0.2_0 Adds the file background.js"="6/20/2019 12:14 PM, 4976 bytes, A Adds the file manifest.json"="10/2/2019 11:55 AM, 2121 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgofjiialcpbongknpjkllipmecbkcic\1.0.2_0\_metadata Adds the file computed_hashes.json"="10/2/2019 11:55 AM, 3695 bytes, A Adds the file verified_contents.json"="6/20/2019 12:19 PM, 2899 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgofjiialcpbongknpjkllipmecbkcic\1.0.2_0\browser_action Adds the file browser_action.html"="6/3/2019 2:28 PM, 2239 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgofjiialcpbongknpjkllipmecbkcic\1.0.2_0\browser_action\js Adds the file main.js"="6/3/2019 2:28 PM, 365 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgofjiialcpbongknpjkllipmecbkcic\1.0.2_0\icons Adds the file icon128.png"="10/2/2019 11:55 AM, 5091 bytes, A Adds the file icon16.png"="10/2/2019 11:55 AM, 693 bytes, A Adds the file icon38.png"="10/2/2019 11:55 AM, 1859 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgofjiialcpbongknpjkllipmecbkcic\1.0.2_0\images\rateshare Adds the file close.png"="6/3/2019 2:28 PM, 1920 bytes, A Adds the file rate.jpg"="6/3/2019 2:28 PM, 102155 bytes, A Adds the file rate1.png"="6/3/2019 2:28 PM, 12334 bytes, A Adds the file share.jpg"="6/3/2019 2:28 PM, 17633 bytes, A Adds the file share1.png"="6/3/2019 2:28 PM, 4466 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgofjiialcpbongknpjkllipmecbkcic\1.0.2_0\js Adds the file rate.js"="6/5/2019 11:08 AM, 3519 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgofjiialcpbongknpjkllipmecbkcic\1.0.2_0\js\jquery Adds the file jquery.min.js"="6/3/2019 2:28 PM, 83100 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "jgofjiialcpbongknpjkllipmecbkcic"="REG_SZ", "7ACA3B6E770B0F09CB18E64775772FC3B96EF287099AB00D616622E254752544" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/2/19 Scan Time: 12:11 PM Log File: fd87ff08-e4fc-11e9-843f-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.12733 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 234908 Threats Detected: 31 Threats Quarantined: 31 Time Elapsed: 11 min, 4 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.GlobalAppz, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|jgofjiialcpbongknpjkllipmecbkcic, Quarantined, [321], [738741],1.0.12733 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 10 PUP.Optional.GlobalAppz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgofjiialcpbongknpjkllipmecbkcic\1.0.2_0\browser_action\js, Quarantined, [321], [738741],1.0.12733 PUP.Optional.GlobalAppz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgofjiialcpbongknpjkllipmecbkcic\1.0.2_0\images\rateshare, Quarantined, [321], [738741],1.0.12733 PUP.Optional.GlobalAppz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgofjiialcpbongknpjkllipmecbkcic\1.0.2_0\browser_action, Quarantined, [321], [738741],1.0.12733 PUP.Optional.GlobalAppz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgofjiialcpbongknpjkllipmecbkcic\1.0.2_0\js\jquery, Quarantined, [321], [738741],1.0.12733 PUP.Optional.GlobalAppz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgofjiialcpbongknpjkllipmecbkcic\1.0.2_0\_metadata, Quarantined, [321], [738741],1.0.12733 PUP.Optional.GlobalAppz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgofjiialcpbongknpjkllipmecbkcic\1.0.2_0\images, Quarantined, [321], [738741],1.0.12733 PUP.Optional.GlobalAppz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgofjiialcpbongknpjkllipmecbkcic\1.0.2_0\icons, Quarantined, [321], [738741],1.0.12733 PUP.Optional.GlobalAppz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgofjiialcpbongknpjkllipmecbkcic\1.0.2_0\js, Quarantined, [321], [738741],1.0.12733 PUP.Optional.GlobalAppz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgofjiialcpbongknpjkllipmecbkcic\1.0.2_0, Quarantined, [321], [738741],1.0.12733 PUP.Optional.GlobalAppz, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JGOFJIIALCPBONGKNPJKLLIPMECBKCIC, Quarantined, [321], [738741],1.0.12733 File: 20 PUP.Optional.GlobalAppz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgofjiialcpbongknpjkllipmecbkcic\1.0.2_0\browser_action\js\main.js, Quarantined, [321], [738741],1.0.12733 PUP.Optional.GlobalAppz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgofjiialcpbongknpjkllipmecbkcic\1.0.2_0\browser_action\browser_action.html, Quarantined, [321], [738741],1.0.12733 PUP.Optional.GlobalAppz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgofjiialcpbongknpjkllipmecbkcic\1.0.2_0\icons\icon128.png, Quarantined, [321], [738741],1.0.12733 PUP.Optional.GlobalAppz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgofjiialcpbongknpjkllipmecbkcic\1.0.2_0\icons\icon16.png, Quarantined, [321], [738741],1.0.12733 PUP.Optional.GlobalAppz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgofjiialcpbongknpjkllipmecbkcic\1.0.2_0\icons\icon38.png, Quarantined, [321], [738741],1.0.12733 PUP.Optional.GlobalAppz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgofjiialcpbongknpjkllipmecbkcic\1.0.2_0\images\rateshare\close.png, Quarantined, [321], [738741],1.0.12733 PUP.Optional.GlobalAppz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgofjiialcpbongknpjkllipmecbkcic\1.0.2_0\images\rateshare\rate.jpg, Quarantined, [321], [738741],1.0.12733 PUP.Optional.GlobalAppz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgofjiialcpbongknpjkllipmecbkcic\1.0.2_0\images\rateshare\rate1.png, Quarantined, [321], [738741],1.0.12733 PUP.Optional.GlobalAppz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgofjiialcpbongknpjkllipmecbkcic\1.0.2_0\images\rateshare\share.jpg, Quarantined, [321], [738741],1.0.12733 PUP.Optional.GlobalAppz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgofjiialcpbongknpjkllipmecbkcic\1.0.2_0\images\rateshare\share1.png, Quarantined, [321], [738741],1.0.12733 PUP.Optional.GlobalAppz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgofjiialcpbongknpjkllipmecbkcic\1.0.2_0\js\jquery\jquery.min.js, Quarantined, [321], [738741],1.0.12733 PUP.Optional.GlobalAppz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgofjiialcpbongknpjkllipmecbkcic\1.0.2_0\js\rate.js, Quarantined, [321], [738741],1.0.12733 PUP.Optional.GlobalAppz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgofjiialcpbongknpjkllipmecbkcic\1.0.2_0\_metadata\computed_hashes.json, Quarantined, [321], [738741],1.0.12733 PUP.Optional.GlobalAppz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgofjiialcpbongknpjkllipmecbkcic\1.0.2_0\_metadata\verified_contents.json, Quarantined, [321], [738741],1.0.12733 PUP.Optional.GlobalAppz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgofjiialcpbongknpjkllipmecbkcic\1.0.2_0\background.js, Quarantined, [321], [738741],1.0.12733 PUP.Optional.GlobalAppz, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgofjiialcpbongknpjkllipmecbkcic\1.0.2_0\manifest.json, Quarantined, [321], [738741],1.0.12733 PUP.Optional.GlobalAppz, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [321], [738741],1.0.12733 PUP.Optional.GlobalAppz, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [321], [738741],1.0.12733 PUP.Optional.GlobalAppz, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [321], [635021],1.0.12733 PUP.Optional.GlobalAppz, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [321], [635021],1.0.12733 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  13. What is Auslogics Driver Updater?The Malwarebytes research team has determined that Auslogics Driver Updater is a "driver updater". These so-called "system optimizers" often use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with Auslogics Driver Updater?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see these warnings during install:and this screen during "operations":You may see this entry in your list of installed programs:and this task in your list of Scheduled Tasks:How did Auslogics Driver Updater get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove Auslogics Driver Updater?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Auslogics Driver Updater? No, Malwarebytes removes Auslogics Driver Updater completely. This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the Auslogics Driver Updater installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for expertsYou may see these entries in FRST logs: (Auslogics Labs Pty Ltd -> Auslogics) C:\Program Files (x86)\Auslogics\Driver Updater\DriverUpdater.exe Task: {F7D9EDE3-BE63-463C-B77F-21095C013679} - System32\Tasks\Auslogics\Driver Updater\Start Driver Updater оn {username} logon => C:\Program Files (x86)\Auslogics\Driver Updater\DriverUpdater.exe [4768888 2019-08-23] (Auslogics Labs Pty Ltd -> Auslogics) C:\ProgramData\BSD C:\Users\{username}\Desktop\Auslogics Driver Updater.lnk C:\Windows\system32\Tasks\Auslogics C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auslogics C:\ProgramData\Auslogics C:\Program Files (x86)\Auslogics Auslogics Driver Updater (HKLM-x32\...\{23BB1B18-3537-48F7-BEF7-42BC65DBF993}_is1) (Version: 1.21.3.0 - Auslogics Labs Pty Ltd) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\Auslogics\Driver Updater Adds the file ATPopupsHelper.dll"="8/23/2019 8:28 AM, 358016 bytes, A Adds the file ATUpdatersHelper.dll"="8/23/2019 8:28 AM, 751744 bytes, A Adds the file AxComponentsRTL.bpl"="8/23/2019 8:28 AM, 1859704 bytes, A Adds the file AxComponentsVCL.bpl"="8/23/2019 8:28 AM, 6610048 bytes, A Adds the file CFAHelper.dll"="8/23/2019 8:28 AM, 91776 bytes, A Adds the file CommonForms.dll"="8/23/2019 8:28 AM, 351360 bytes, A Adds the file CommonForms.Routine.dll"="8/23/2019 8:28 AM, 853120 bytes, A Adds the file CommonForms.Site.dll"="8/23/2019 8:28 AM, 301176 bytes, A Adds the file DebugHelper.dll"="8/23/2019 8:28 AM, 1181312 bytes, A Adds the file Downloader.exe"="8/23/2019 8:27 AM, 38016 bytes, A Adds the file DPInst64.exe"="8/23/2019 8:28 AM, 686208 bytes, A Adds the file DriverHiveEngine.dll"="8/23/2019 8:28 AM, 1800832 bytes, A Adds the file DriverUpdater.exe"="8/23/2019 8:28 AM, 4768888 bytes, A Adds the file DriverUpdater.url"="10/1/2019 9:01 AM, 78 bytes, A Adds the file DriverUpdaterHelper.dll"="8/23/2019 8:28 AM, 649344 bytes, A Adds the file EULA.rtf"="8/22/2019 3:18 PM, 25139 bytes, A Adds the file GoogleAnalyticsHelper.dll"="8/23/2019 8:28 AM, 119424 bytes, A Adds the file Localizer.dll"="8/23/2019 8:28 AM, 195192 bytes, A Adds the file RescueCenterForm.dll"="8/23/2019 8:28 AM, 269432 bytes, A Adds the file RescueCenterHelper.dll"="8/23/2019 8:28 AM, 582776 bytes, A Adds the file rtl250.bpl"="8/23/2019 8:28 AM, 10595968 bytes, A Adds the file SendDebugLog.exe"="8/23/2019 8:28 AM, 639608 bytes, A Adds the file ServiceManagerHelper.dll"="8/23/2019 8:28 AM, 266360 bytes, A Adds the file sqlite3.dll"="8/23/2019 8:28 AM, 856048 bytes, A Adds the file SystemInformationHelper.dll"="8/23/2019 8:28 AM, 873600 bytes, A Adds the file TaskSchedulerHelper.dll"="8/23/2019 8:28 AM, 555136 bytes, A Adds the file unins000.dat"="10/1/2019 9:01 AM, 72051 bytes, A Adds the file unins000.exe"="10/1/2019 9:00 AM, 1220736 bytes, A Adds the file unins000.msg"="10/1/2019 9:01 AM, 20969 bytes, A Adds the file vcl250.bpl"="8/23/2019 8:28 AM, 4051584 bytes, A Adds the file vclie250.bpl"="8/23/2019 8:28 AM, 1090176 bytes, A Adds the file vclimg250.bpl"="8/23/2019 8:28 AM, 365696 bytes, A Adds the file WizardHelper.dll"="8/23/2019 8:28 AM, 1642624 bytes, A Adds the folder C:\Program Files (x86)\Auslogics\Driver Updater\Data Adds the file main.ini"="8/22/2019 3:18 PM, 793 bytes, A Adds the folder C:\Program Files (x86)\Auslogics\Driver Updater\Lang Adds the folder C:\ProgramData\Auslogics\Driver Updater\1.x Adds the file DriverHiveEngine_0.log"="10/1/2019 9:01 AM, 0 bytes, A Adds the folder C:\ProgramData\Auslogics\Driver Updater\1.x\Downloads Adds the file statistics.dat"="10/1/2019 9:02 AM, 364 bytes, A Adds the folder C:\ProgramData\Auslogics\Driver Updater\1.x\Logs Adds the file CheckSerialNumber.log"="10/1/2019 9:01 AM, 0 bytes, A Adds the folder C:\ProgramData\BSD\DriverHive Adds the file history2.dat"="10/1/2019 9:02 AM, 63 bytes, A Adds the folder C:\ProgramData\BSD\DriverHiveEngine Adds the file scandet2.dat"="10/1/2019 9:02 AM, 52199 bytes, A Adds the file scansummary2.dat"="10/1/2019 9:02 AM, 252 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auslogics\Driver Updater Adds the file Auslogics Driver Updater on the Web.url"="10/1/2019 9:01 AM, 129 bytes, A Adds the file Auslogics Driver Updater.lnk"="10/1/2019 9:01 AM, 1236 bytes, A Adds the file Uninstall Driver Updater.lnk"="10/1/2019 9:01 AM, 1211 bytes, A In the existing folder C:\Users\{username}\Desktop Adds the file Auslogics Driver Updater.lnk"="10/1/2019 9:01 AM, 1212 bytes, A In the existing folder C:\Windows Alters the file win.ini 7/14/2009 7:09 AM, 403 bytes, A ==> 10/1/2019 9:01 AM, 466 bytes, A Adds the folder C:\Windows\System32\Tasks\Auslogics\Driver Updater Adds the file Start Driver Updater оn {username} logon"="10/1/2019 9:01 AM, 3838 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D067D143-DFAB-C1C0-EDD9-899DF401324E}\Version] [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Auslogics] "ClientID"="REG_SZ", "{21A82FDE-582C-45AA-8B07-6128D082C1C1}" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Auslogics\ATUpdaters\1.x\Settings] "Shared.Blocking.Driver Updater"="REG_DWORD", 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Auslogics\Driver Updater\1.x\Settings] "App.Application.PurchaseUrlParam"="REG_SZ", "" "App.AutoUpdate.Enabled"="REG_DWORD", 1 "Application.IsFirstRun"="REG_DWORD", 0 "Application.ModulePath"="REG_SZ", "C:\Program Files (x86)\Auslogics\Driver Updater\" "Application.SendInfo"="REG_DWORD", 0 "Application.SupportPhone"="REG_SZ", "SUPPORT_PHONE_USA_CANADA" "Application.UpdateDate"="REG_BINARY, .... "FirstInitDate"="REG_BINARY, .... "General.Cookie"="REG_SZ", "" "General.CountRun.DriverUpdater.exe"="REG_QWORD, .... "General.DefWebBrowser"="REG_SZ", "C:\Program Files (x86)\Opera\launcher.exe" "General.DoNotAddUtmToUrls"="REG_DWORD", 1 "General.InstallDateTime"="REG_BINARY, .... "General.Language"="REG_SZ", "ENU" "General.LastRun.DriverUpdater.exe"="REG_BINARY, .... "General.URLClientId"="REG_SZ", "1917153589.1569912884" "General.URLCustomPart"="REG_SZ", "_sid=gm2hdAZfXr" "General.URLSID"="REG_SZ", "gm2hdAZfXr" "General.URLSource"="REG_SZ", "driver-updater" "GoogleAnalytics.CustomCategory"="REG_SZ", "1.21.3.0-null-enu-null-lite" "Popups.LibraryInitDate"="REG_BINARY, .... [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BSD\DriverHiveEngine] "DriverIgnoreList"="REG_SZ", "" "DriverUploadList"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{23BB1B18-3537-48F7-BEF7-42BC65DBF993}_is1] "Contact"="REG_SZ", "info@auslogics.com" "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\Auslogics\Driver Updater\DriverUpdater.exe" "DisplayName"="REG_SZ", "Auslogics Driver Updater" "DisplayVersion"="REG_SZ", "1.21.3.0" "EstimatedSize"="REG_DWORD", 44502 "HelpLink"="REG_SZ", "http://www.auslogics.com/en/support/" "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\Auslogics\Driver Updater" "Inno Setup: Icon Group"="REG_SZ", "Auslogics\Driver Updater" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.9 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20191001" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\Auslogics\Driver Updater\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 21 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Auslogics Labs Pty Ltd" "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\Auslogics\Driver Updater\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\Auslogics\Driver Updater\unins000.exe" /compability" "URLInfoAbout"="REG_SZ", "http://www.auslogics.com/en/contact" "URLUpdateInfo"="REG_SZ", "http://www.auslogics.com/en/software/driver-updater/" "VersionMajor"="REG_DWORD", 1 "VersionMinor"="REG_DWORD", 21 [HKEY_CURRENT_USER\Software\BSD\PCZ] Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/1/19 Scan Time: 9:13 AM Log File: 06416a68-e41b-11e9-8efa-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.12719 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235160 Threats Detected: 38 Threats Quarantined: 38 Time Elapsed: 10 min, 4 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.AuslogicsDriverUpdater, C:\PROGRAM FILES (X86)\AUSLOGICS\DRIVER UPDATER\DRIVERUPDATER.EXE, Quarantined, [3607], [341786],1.0.12719 Module: 15 PUP.Optional.AuslogicsDriverUpdater, C:\PROGRAM FILES (X86)\AUSLOGICS\DRIVER UPDATER\LOCALIZER.DLL, Quarantined, [3607], [341786],1.0.12719 PUP.Optional.AuslogicsDriverUpdater, C:\PROGRAM FILES (X86)\AUSLOGICS\DRIVER UPDATER\ATUPDATERSHELPER.DLL, Quarantined, [3607], [341786],1.0.12719 PUP.Optional.AuslogicsDriverUpdater, C:\PROGRAM FILES (X86)\AUSLOGICS\DRIVER UPDATER\GOOGLEANALYTICSHELPER.DLL, Quarantined, [3607], [341786],1.0.12719 PUP.Optional.AuslogicsDriverUpdater, C:\PROGRAM FILES (X86)\AUSLOGICS\DRIVER UPDATER\SYSTEMINFORMATIONHELPER.DLL, Quarantined, [3607], [341786],1.0.12719 PUP.Optional.AuslogicsDriverUpdater, C:\PROGRAM FILES (X86)\AUSLOGICS\DRIVER UPDATER\DEBUGHELPER.DLL, Quarantined, [3607], [341786],1.0.12719 PUP.Optional.AuslogicsDriverUpdater, C:\PROGRAM FILES (X86)\AUSLOGICS\DRIVER UPDATER\ATPOPUPSHELPER.DLL, Quarantined, [3607], [341786],1.0.12719 PUP.Optional.AuslogicsDriverUpdater, C:\PROGRAM FILES (X86)\AUSLOGICS\DRIVER UPDATER\COMMONFORMS.SITE.DLL, Quarantined, [3607], [341786],1.0.12719 PUP.Optional.AuslogicsDriverUpdater, C:\PROGRAM FILES (X86)\AUSLOGICS\DRIVER UPDATER\DRIVERUPDATERHELPER.DLL, Quarantined, [3607], [341786],1.0.12719 PUP.Optional.AuslogicsDriverUpdater, C:\PROGRAM FILES (X86)\AUSLOGICS\DRIVER UPDATER\TASKSCHEDULERHELPER.DLL, Quarantined, [3607], [341786],1.0.12719 PUP.Optional.AuslogicsDriverUpdater, C:\PROGRAM FILES (X86)\AUSLOGICS\DRIVER UPDATER\COMMONFORMS.DLL, Quarantined, [3607], [341786],1.0.12719 PUP.Optional.DriverHive, C:\PROGRAM FILES (X86)\AUSLOGICS\DRIVER UPDATER\DRIVERHIVEENGINE.DLL, Quarantined, [2963], [542209],1.0.12719 PUP.Optional.AuslogicsDriverUpdater, C:\PROGRAM FILES (X86)\AUSLOGICS\DRIVER UPDATER\COMMONFORMS.ROUTINE.DLL, Quarantined, [3607], [341786],1.0.12719 PUP.Optional.AuslogicsDriverUpdater, C:\PROGRAM FILES (X86)\AUSLOGICS\DRIVER UPDATER\DRIVERUPDATER.EXE, Quarantined, [3607], [341786],1.0.12719 PUP.Optional.AuslogicsDriverUpdater, C:\PROGRAM FILES (X86)\AUSLOGICS\DRIVER UPDATER\CFAHELPER.DLL, Quarantined, [3607], [341786],1.0.12719 PUP.Optional.AuslogicsDriverUpdater, C:\PROGRAM FILES (X86)\AUSLOGICS\DRIVER UPDATER\RESCUECENTERHELPER.DLL, Quarantined, [3607], [341786],1.0.12719 Registry Key: 3 PUP.Optional.AuslogicsDriverUpdater, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Auslogics\Driver Updater\Start Driver Updater оn {username} logon, Quarantined, [3607], [341781],1.0.12719 PUP.Optional.AuslogicsDriverUpdater, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{F7D9EDE3-BE63-463C-B77F-21095C013679}, Quarantined, [3607], [341781],1.0.12719 PUP.Optional.AuslogicsDriverUpdater, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{F7D9EDE3-BE63-463C-B77F-21095C013679}, Quarantined, [3607], [341781],1.0.12719 Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 1 PUP.Optional.AuslogicsDriverUpdater, C:\WINDOWS\SYSTEM32\TASKS\AUSLOGICS\DRIVER UPDATER, Quarantined, [3607], [341781],1.0.12719 File: 18 PUP.Optional.AuslogicsDriverUpdater, C:\Windows\System32\Tasks\Auslogics\Driver Updater\Start Driver Updater оn {username} logon, Quarantined, [3607], [341781],1.0.12719 PUP.Optional.AuslogicsDriverUpdater, C:\PROGRAM FILES (X86)\AUSLOGICS\DRIVER UPDATER\LOCALIZER.DLL, Quarantined, [3607], [341786],1.0.12719 PUP.Optional.AuslogicsDriverUpdater, C:\PROGRAM FILES (X86)\AUSLOGICS\DRIVER UPDATER\ATUPDATERSHELPER.DLL, Quarantined, [3607], [341786],1.0.12719 PUP.Optional.AuslogicsDriverUpdater, C:\PROGRAM FILES (X86)\AUSLOGICS\DRIVER UPDATER\GOOGLEANALYTICSHELPER.DLL, Quarantined, [3607], [341786],1.0.12719 PUP.Optional.AuslogicsDriverUpdater, C:\PROGRAM FILES (X86)\AUSLOGICS\DRIVER UPDATER\SYSTEMINFORMATIONHELPER.DLL, Quarantined, [3607], [341786],1.0.12719 PUP.Optional.AuslogicsDriverUpdater, C:\PROGRAM FILES (X86)\AUSLOGICS\DRIVER UPDATER\DEBUGHELPER.DLL, Quarantined, [3607], [341786],1.0.12719 PUP.Optional.AuslogicsDriverUpdater, C:\PROGRAM FILES (X86)\AUSLOGICS\DRIVER UPDATER\ATPOPUPSHELPER.DLL, Quarantined, [3607], [341786],1.0.12719 PUP.Optional.AuslogicsDriverUpdater, C:\PROGRAM FILES (X86)\AUSLOGICS\DRIVER UPDATER\COMMONFORMS.SITE.DLL, Quarantined, [3607], [341786],1.0.12719 PUP.Optional.AuslogicsDriverUpdater, C:\PROGRAM FILES (X86)\AUSLOGICS\DRIVER UPDATER\DRIVERUPDATERHELPER.DLL, Quarantined, [3607], [341786],1.0.12719 PUP.Optional.AuslogicsDriverUpdater, C:\PROGRAM FILES (X86)\AUSLOGICS\DRIVER UPDATER\TASKSCHEDULERHELPER.DLL, Quarantined, [3607], [341786],1.0.12719 PUP.Optional.AuslogicsDriverUpdater, C:\PROGRAM FILES (X86)\AUSLOGICS\DRIVER UPDATER\COMMONFORMS.DLL, Quarantined, [3607], [341786],1.0.12719 PUP.Optional.DriverHive, C:\PROGRAM FILES (X86)\AUSLOGICS\DRIVER UPDATER\DRIVERHIVEENGINE.DLL, Quarantined, [2963], [542209],1.0.12719 PUP.Optional.AuslogicsDriverUpdater, C:\PROGRAM FILES (X86)\AUSLOGICS\DRIVER UPDATER\COMMONFORMS.ROUTINE.DLL, Quarantined, [3607], [341786],1.0.12719 PUP.Optional.AuslogicsDriverUpdater, C:\USERS\{username}\Desktop\Auslogics Driver Updater.lnk, Quarantined, [3607], [341786],1.0.12719 PUP.Optional.AuslogicsDriverUpdater, C:\PROGRAM FILES (X86)\AUSLOGICS\DRIVER UPDATER\DRIVERUPDATER.EXE, Quarantined, [3607], [341786],1.0.12719 PUP.Optional.AuslogicsDriverUpdater, C:\PROGRAM FILES (X86)\AUSLOGICS\DRIVER UPDATER\CFAHELPER.DLL, Quarantined, [3607], [341786],1.0.12719 PUP.Optional.AuslogicsDriverUpdater, C:\PROGRAM FILES (X86)\AUSLOGICS\DRIVER UPDATER\RESCUECENTERHELPER.DLL, Quarantined, [3607], [341786],1.0.12719 PUP.Optional.AuslogicsDriverUpdater, C:\USERS\{username}\DESKTOP\DRIVER-UPDATER-SETUP.EXE, Quarantined, [3607], [341785],1.0.12719 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  14. What is Sodoweb?The Malwarebytes research team has determined that Sodoweb is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Sodoweb?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You may see your search results redirected like this:How did Sodoweb get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Sodoweb?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Sodoweb? No, Malwarebytes removes Sodoweb completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the Sodoweb hijacker. They would respectively have blocked the ad-rotator and their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR Extension: (Sodoweb) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\idmkgbgmbllplkegkhkjgmhhjambekfm [2019-09-30] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\idmkgbgmbllplkegkhkjgmhhjambekfm\3.3.1_0 Adds the file background.js"="9/30/2019 12:48 AM, 6160 bytes, A Adds the file manifest.json"="9/30/2019 8:15 AM, 1725 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\idmkgbgmbllplkegkhkjgmhhjambekfm\3.3.1_0\_metadata Adds the file computed_hashes.json"="9/30/2019 8:15 AM, 404 bytes, A Adds the file verified_contents.json"="9/30/2019 12:50 AM, 1648 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\idmkgbgmbllplkegkhkjgmhhjambekfm\3.3.1_0\icons Adds the file icon128.png"="9/30/2019 8:15 AM, 2188 bytes, A Adds the file icon48.png"="9/30/2019 8:15 AM, 253 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\idmkgbgmbllplkegkhkjgmhhjambekfm Adds the file 000003.log"="9/30/2019 8:17 AM, 116 bytes, A Adds the file CURRENT"="9/30/2019 8:15 AM, 16 bytes, A Adds the file LOCK"="9/30/2019 8:15 AM, 0 bytes, A Adds the file LOG"="9/30/2019 8:15 AM, 183 bytes, A Adds the file MANIFEST-000001"="9/30/2019 8:15 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "idmkgbgmbllplkegkhkjgmhhjambekfm"="REG_SZ", "63D481015A49ECBDBBC587AC33534559C393F26CAF290BB9B7A9617B3CE60C6B" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 9/30/19 Scan Time: 3:30 PM Log File: 74b610ba-e386-11e9-b31c-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.627 Update Package Version: 1.0.12707 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235055 Threats Detected: 20 Threats Quarantined: 20 Time Elapsed: 14 min, 20 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.Notics, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|idmkgbgmbllplkegkhkjgmhhjambekfm, Quarantined, [14724], [740507],1.0.12707 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 5 PUP.Optional.Notics, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\idmkgbgmbllplkegkhkjgmhhjambekfm, Quarantined, [14724], [740507],1.0.12707 PUP.Optional.Notics, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\idmkgbgmbllplkegkhkjgmhhjambekfm\3.3.1_0\_metadata, Quarantined, [14724], [740507],1.0.12707 PUP.Optional.Notics, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\idmkgbgmbllplkegkhkjgmhhjambekfm\3.3.1_0\icons, Quarantined, [14724], [740507],1.0.12707 PUP.Optional.Notics, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\idmkgbgmbllplkegkhkjgmhhjambekfm\3.3.1_0, Quarantined, [14724], [740507],1.0.12707 PUP.Optional.Notics, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IDMKGBGMBLLPLKEGKHKJGMHHJAMBEKFM, Quarantined, [14724], [740507],1.0.12707 File: 14 PUP.Optional.Notics, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\idmkgbgmbllplkegkhkjgmhhjambekfm\000003.log, Quarantined, [14724], [740507],1.0.12707 PUP.Optional.Notics, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\idmkgbgmbllplkegkhkjgmhhjambekfm\CURRENT, Quarantined, [14724], [740507],1.0.12707 PUP.Optional.Notics, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\idmkgbgmbllplkegkhkjgmhhjambekfm\LOCK, Quarantined, [14724], [740507],1.0.12707 PUP.Optional.Notics, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\idmkgbgmbllplkegkhkjgmhhjambekfm\LOG, Quarantined, [14724], [740507],1.0.12707 PUP.Optional.Notics, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\idmkgbgmbllplkegkhkjgmhhjambekfm\LOG.old, Quarantined, [14724], [740507],1.0.12707 PUP.Optional.Notics, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\idmkgbgmbllplkegkhkjgmhhjambekfm\MANIFEST-000001, Quarantined, [14724], [740507],1.0.12707 PUP.Optional.Notics, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [14724], [740507],1.0.12707 PUP.Optional.Notics, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [14724], [740507],1.0.12707 PUP.Optional.Notics, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IDMKGBGMBLLPLKEGKHKJGMHHJAMBEKFM\3.3.1_0\BACKGROUND.JS, Quarantined, [14724], [740507],1.0.12707 PUP.Optional.Notics, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\idmkgbgmbllplkegkhkjgmhhjambekfm\3.3.1_0\icons\icon128.png, Quarantined, [14724], [740507],1.0.12707 PUP.Optional.Notics, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\idmkgbgmbllplkegkhkjgmhhjambekfm\3.3.1_0\icons\icon48.png, Quarantined, [14724], [740507],1.0.12707 PUP.Optional.Notics, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\idmkgbgmbllplkegkhkjgmhhjambekfm\3.3.1_0\_metadata\computed_hashes.json, Quarantined, [14724], [740507],1.0.12707 PUP.Optional.Notics, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\idmkgbgmbllplkegkhkjgmhhjambekfm\3.3.1_0\_metadata\verified_contents.json, Quarantined, [14724], [740507],1.0.12707 PUP.Optional.Notics, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\idmkgbgmbllplkegkhkjgmhhjambekfm\3.3.1_0\manifest.json, Quarantined, [14724], [740507],1.0.12707 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  15. What is Advanced SystemRepair Pro?The Malwarebytes research team has determined that Advanced SystemRepair Pro is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with Advanced SystemRepair Pro?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see these warnings during install:and this type of screens during "operations":You may see this entry in your list of installed programs:and this task in your list of Scheduled Tasks:How did Advanced SystemRepair Pro get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove Advanced SystemRepair Pro?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Advanced SystemRepair Pro? The icon in the taskbar can be removed if it belonged to Advanced SystemRepair Pro. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the Advanced SystemRepair Pro installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: (Advanced System Repair, Inc. -> Advanced System Repair Inc.) C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\AdvancedSystemRepairPro.exe (Advanced System Repair, Inc. -> Advanced System Repair Inc.) C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\tscmon.exe Task: {939958F1-0240-4445-8295-2B1A8E2726B6} - System32\Tasks\AdvancedSystemRepairPro-Maintenance-Autorun => C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\AdvancedSystemRepairPro.exe [20492440 2019-09-27] (Advanced System Repair, Inc. -> Advanced System Repair Inc.) R3 tscmon; C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\tscmon.exe [1347224 2019-09-27] (Advanced System Repair, Inc. -> Advanced System Repair Inc.) U1 asrdmon; C:\Windows\system32\drivers\asrdmon.sys [19608 2019-09-27] (Advanced System Repair, Inc. -> Advanced System Repair Inc.) C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0 (Advanced System Repair Inc.) C:\Windows\system32\Drivers\asrdmon.sys C:\Windows\System32\Tasks\AdvancedSystemRepairPro-Maintenance-Autorun C:\Users\Public\Desktop\Advanced System Repair Pro.lnk C:\ProgramData\Desktop\Advanced System Repair Pro.lnk C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Advanced System Repair Pro C:\ProgramData\TSR7Settings Advanced System Repair Pro (HKCU\...\Advanced System Repair Pro) (Version: 1.8.9.9 - Advanced System Repair, Inc.) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0 Adds the file AdvancedSystemRepairPro.exe"="9/27/2019 11:09 AM, 20492440 bytes, A Adds the file asrscan.sys"="9/27/2019 11:09 AM, 19608 bytes, A Adds the file BouncyCastle.Crypto.dll"="9/27/2019 11:09 AM, 2236416 bytes, A Adds the file dsutil.exe"="9/27/2019 11:09 AM, 192152 bytes, A Adds the file InfExtractor.dll"="9/27/2019 11:09 AM, 27800 bytes, A Adds the file Microsoft.Deployment.WindowsInstaller.dll"="9/27/2019 11:09 AM, 196976 bytes, A Adds the file Microsoft.Experimental.IO.dll"="9/27/2019 11:09 AM, 13824 bytes, A Adds the file Newtonsoft.Json.dll"="9/27/2019 11:09 AM, 540672 bytes, A Adds the file pcw.dll"="9/27/2019 11:09 AM, 137368 bytes, A Adds the file pcw.pack"="9/27/2019 11:09 AM, 77517 bytes, A Adds the file SevenZipSharp.dll"="9/27/2019 11:09 AM, 151040 bytes, A Adds the file System.Security.Cryptography.Algorithms.dll"="9/27/2019 11:09 AM, 39872 bytes, A Adds the file System.Security.Cryptography.Encoding.dll"="9/27/2019 11:09 AM, 23480 bytes, A Adds the file System.Security.Cryptography.Primitives.dll"="9/27/2019 11:09 AM, 22816 bytes, A Adds the file System.Security.Cryptography.X509Certificates.dll"="9/27/2019 11:09 AM, 38872 bytes, A Adds the file tfj2.res"="9/27/2019 11:11 AM, 75208 bytes, A Adds the file tscmon.exe"="9/27/2019 11:09 AM, 1347224 bytes, A Adds the file ZetaLongPaths.dll"="9/27/2019 11:09 AM, 62464 bytes, A Adds the folder C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\7z Adds the file 7z.dll"="9/27/2019 11:09 AM, 992768 bytes, A Adds the file 7z.exe"="9/27/2019 11:09 AM, 244736 bytes, A Adds the file 7-zip.dll"="9/27/2019 11:09 AM, 50176 bytes, A Adds the file history.txt"="9/27/2019 11:09 AM, 2435 bytes, A Adds the file License.txt"="9/27/2019 11:09 AM, 1142 bytes, A Adds the file readme.txt"="9/27/2019 11:09 AM, 4375 bytes, A Adds the folder C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\7z\x64 Adds the file 7z.dll"="9/27/2019 11:09 AM, 1422336 bytes, A Adds the file 7z.exe"="9/27/2019 11:09 AM, 284160 bytes, A Adds the file 7-zip.dll"="9/27/2019 11:09 AM, 86016 bytes, A Adds the folder C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\drvstats Adds the file drop.php"="9/27/2019 11:09 AM, 212 bytes, A Adds the file rep.php"="9/27/2019 11:09 AM, 678 bytes, A Adds the file view.php"="9/27/2019 11:09 AM, 774 bytes, A Adds the folder C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\reports Adds the file fraglist_c.luar"="9/27/2019 11:18 AM, 236709 bytes, A Adds the folder C:\ProgramData\TSR7Settings Adds the file app.log"="9/27/2019 11:11 AM, 281 bytes, A Adds the file cookie.db"="9/27/2019 11:10 AM, 50119 bytes, A Adds the file dsutil.zip"="9/27/2019 11:09 AM, 2673525 bytes, A Adds the file e.txt"="9/27/2019 11:09 AM, 0 bytes, A Adds the file j.db"="9/27/2019 11:21 AM, 858112 bytes, A Adds the file res2.db"="9/27/2019 11:21 AM, 56320 bytes, A Adds the file s3.txt"="9/27/2019 11:21 AM, 447 bytes, A Adds the file srv.db"="9/27/2019 11:09 AM, 2048 bytes, A Adds the file st.db"="9/27/2019 11:09 AM, 11264 bytes, A Adds the file uninstasr.exe"="9/27/2019 11:03 AM, 19064008 bytes, A Adds the folder C:\ProgramData\TSR7Settings\av Adds the file 0.def"="9/27/2019 11:09 AM, 3633084 bytes, A Adds the file 1.def"="9/27/2019 11:10 AM, 8214017 bytes, A Adds the file 2.def"="9/27/2019 11:10 AM, 16266233 bytes, A Adds the file srv.txt"="9/27/2019 11:09 AM, 0 bytes, A Adds the folder C:\ProgramData\TSR7Settings\av\q2 Adds the folder C:\ProgramData\TSR7Settings\fc In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar Adds the file Advanced System Repair Pro.lnk"="9/27/2019 11:09 AM, 1196 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Advanced System Repair Pro Adds the file Advanced System Repair Pro.lnk"="9/27/2019 11:09 AM, 1196 bytes, A Adds the file Uninstall Advanced System Repair Pro.lnk"="9/27/2019 11:09 AM, 1465 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file Advanced System Repair Pro.lnk"="9/27/2019 11:09 AM, 1160 bytes, A In the existing folder C:\Windows\System32\drivers Adds the file asrdmon.sys"="9/27/2019 11:09 AM, 19608 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file AdvancedSystemRepairPro-Maintenance-Autorun"="9/27/2019 11:09 AM, 3344 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{233F8F82-F91E-4E49-2222-BD21AB39D1BB}] "(Default)"="REG_SZ", "tscmon.Gate" "AuthenticationLevel"="REG_DWORD", 1 "LocalService"="REG_SZ", "tscmon" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{A245B088-41FA-478E-8DEA-86177F1394BB}] "(Default)"="REG_SZ", "tscmon" "LocalService"="REG_SZ", "tscmon" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\tscmon.Gate] "(Default)"="REG_SZ", "tscmon.Gate" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{23311E82-B997-11CF-2222-0080C7B2D6BB}\1.0] "(Default)"="REG_SZ", "Advanced System Repair Pro Library" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\AdvancedSystemRepairPro] "InstallDir"="REG_SZ", "C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\asrdmon] "DependOnService"="REG_MULTI_SZ, "FltMgr " "ErrorControl"="REG_DWORD", 1 "Group"="REG_SZ", "FSFilter Content Screener" "ImagePath"="REG_SZ", "\SystemRoot\system32\drivers\asrdmon.sys" "Start"="REG_DWORD", 1 "Type"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\asrdmon\Enum] "0"="REG_SZ", "Root\LEGACY_ASRDMON\0000" "Count"="REG_DWORD", 1 "NextInstance"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\asrdmon\Instances] "DefaultInstance"="REG_SZ", "asrdmon" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\asrdmon\Instances\asrdmon] "Altitude"="REG_SZ", "389992" "Flags"="REG_DWORD", 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tscmon] "DisplayName"="REG_SZ", "tscmon" "ErrorControl"="REG_DWORD", 1 "Group"="REG_SZ", "UIGroup" "ImagePath"="REG_EXPAND_SZ, "C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\tscmon.exe" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 3 "Type"="REG_DWORD", 16 "WOW64"="REG_DWORD", 1 [HKEY_CURRENT_USER\Software\AdvancedSystemRepairPro] "InstallDir"="REG_SZ", "C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Advanced System Repair Pro] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\AdvancedSystemRepairPro.exe" "DisplayName"="REG_SZ", "Advanced System Repair Pro" "DisplayVersion"="REG_SZ", "1.8.9.9" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0" "Publisher"="REG_SZ", "Advanced System Repair, Inc." "UninstallString"="REG_SZ", ""C:\ProgramData\TSR7Settings\uninstasr.exe" -removeit" "VersionMajor"="REG_DWORD", 1 "VersionMinor"="REG_DWORD", 8 [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers] "C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\AdvancedSystemRepairPro.exe"="REG_SZ", "~ DPIUNAWARE" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 9/27/19 Scan Time: 11:30 AM Log File: 6490de38-e109-11e9-ae20-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.12669 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235309 Threats Detected: 66 Threats Quarantined: 66 Time Elapsed: 11 min, 31 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 2 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\AdvancedSystemRepairPro.exe, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\tscmon.exe, Quarantined, [484], [506683],1.0.12669 Module: 3 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\AdvancedSystemRepairPro.exe, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\pcw.dll, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\tscmon.exe, Quarantined, [484], [506683],1.0.12669 Registry Key: 17 PUP.Optional.AdvancedSystemRepair, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\AdvancedSystemRepairPro-Maintenance-Autorun, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{939958F1-0240-4445-8295-2B1A8E2726B6}, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{939958F1-0240-4445-8295-2B1A8E2726B6}, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, HKLM\SOFTWARE\CLASSES\TYPELIB\{23311E82-B997-11CF-2222-0080C7B2D6BB}, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, HKLM\SOFTWARE\CLASSES\INTERFACE\{23387882-DEAA-4971-2222-5D5046F2B3BB}, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, HKLM\SOFTWARE\CLASSES\INTERFACE\{2532D782-C4FC-4ED8-2222-D654E27AF7F8}, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, HKLM\SOFTWARE\CLASSES\INTERFACE\{2F343382-EFC2-49C9-2222-FC0C403B0EBB}, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{23387882-DEAA-4971-2222-5D5046F2B3BB}, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{2532D782-C4FC-4ED8-2222-D654E27AF7F8}, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{2F343382-EFC2-49C9-2222-FC0C403B0EBB}, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{23387882-DEAA-4971-2222-5D5046F2B3BB}, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{2532D782-C4FC-4ED8-2222-D654E27AF7F8}, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{2F343382-EFC2-49C9-2222-FC0C403B0EBB}, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{23311E82-B997-11CF-2222-0080C7B2D6BB}, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{23311E82-B997-11CF-2222-0080C7B2D6BB}, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\tscmon, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Advanced System Repair Pro, Quarantined, [484], [724287],1.0.12669 Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 5 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\drvstats, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\reports, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\7z\x64, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\7z, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\PROGRAM FILES (X86)\Advanced System Repair Pro 1.8.9.9.0, Quarantined, [484], [506683],1.0.12669 File: 39 PUP.Optional.AdvancedSystemRepair, C:\Windows\System32\drivers\asrdmon.sys, Quarantined, [484], [708572],0.0.0 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\7z\x64\7-zip.dll, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\7z\x64\7z.dll, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\7z\x64\7z.exe, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\7z\7-zip.dll, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\7z\7z.dll, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\7z\7z.exe, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\7z\history.txt, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\7z\License.txt, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\7z\readme.txt, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\drvstats\drop.php, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\drvstats\rep.php, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\drvstats\view.php, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\reports\fraglist_c.luar, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\pcw.pack, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\AdvancedSystemRepairPro.exe, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\asrscan.sys, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\BouncyCastle.Crypto.dll, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\dsutil.exe, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\InfExtractor.dll, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\Microsoft.Deployment.WindowsInstaller.dll, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\Microsoft.Experimental.IO.dll, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\Newtonsoft.Json.dll, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\pcw.dll, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\SevenZipSharp.dll, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\System.Security.Cryptography.Algorithms.dll, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\System.Security.Cryptography.Encoding.dll, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\System.Security.Cryptography.Primitives.dll, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\System.Security.Cryptography.X509Certificates.dll, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\tfj2.res, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\tscmon.exe, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\Program Files (x86)\Advanced System Repair Pro 1.8.9.9.0\ZetaLongPaths.dll, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\WINDOWS\SYSTEM32\TASKS\AdvancedSystemRepairPro-Maintenance-Autorun, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\Advanced System Repair Pro.lnk, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\USERS\{username}\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\User Pinned\TaskBar\Advanced System Repair Pro.lnk, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\USERS\PUBLIC\Desktop\Advanced System Repair Pro.lnk, Quarantined, [484], [506683],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\PROGRAMDATA\TSR7SETTINGS\UNINSTASR.EXE, Quarantined, [484], [724287],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\PROGRAMDATA\TSR7SETTINGS\DSUTIL.ZIP, Quarantined, [484], [708572],1.0.12669 PUP.Optional.AdvancedSystemRepair, C:\USERS\{username}\DESKTOP\ASR_G-INSTALLER.EXE, Quarantined, [484], [724287],1.0.12669 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  16. What is Ultra Music Search?The Malwarebytes research team has determined that Ultra Music Search is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Ultra Music Search?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and this changed setting:How did Ultra Music Search get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Ultra Music Search?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Ultra Music Search? No, Malwarebytes removes Ultra Music Search completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, as well as the full version of Malwarebytes would have protected you against the Ultra Music Search hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxp://music.myultrasearch.net/search/?category=web&s=e3ds&vert=music&q={searchTerms} CHR DefaultSearchKeyword: Default -> Ultra Music Search CHR DefaultSuggestURL: Default -> hxxp://sug.myultrasearch.net/search/index_sg.php?q={searchTerms} CHR Extension: (Ultra Music Search) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd [2019-09-25] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd\1.0.3_0 Adds the file background.js"="9/15/2019 9:47 AM, 1790 bytes, A Adds the file manifest.json"="9/25/2019 9:09 AM, 1897 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd\1.0.3_0\_metadata Adds the file computed_hashes.json"="9/25/2019 9:09 AM, 3760 bytes, A Adds the file verified_contents.json"="9/15/2019 10:16 AM, 3016 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd\1.0.3_0\browser_action Adds the file browser_action.html"="9/15/2019 9:47 AM, 2239 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd\1.0.3_0\browser_action\js Adds the file main.js"="9/15/2019 9:47 AM, 365 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd\1.0.3_0\icons Adds the file icon128.png"="9/25/2019 9:09 AM, 2422 bytes, A Adds the file icon16.png"="9/25/2019 9:09 AM, 355 bytes, A Adds the file icon38.png"="9/25/2019 9:09 AM, 786 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd\1.0.3_0\images Adds the file icon128.png"="9/15/2019 9:47 AM, 1913 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd\1.0.3_0\images\rateshare Adds the file close.png"="9/15/2019 9:47 AM, 1920 bytes, A Adds the file rate.jpg"="9/15/2019 9:47 AM, 102155 bytes, A Adds the file rate1.png"="9/15/2019 9:47 AM, 12334 bytes, A Adds the file share.jpg"="9/15/2019 9:47 AM, 17633 bytes, A Adds the file share1.png"="9/15/2019 9:47 AM, 4466 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd\1.0.3_0\js Adds the file rate.js"="9/15/2019 10:16 AM, 2830 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd\1.0.3_0\js\jquery Adds the file jquery.min.js"="9/15/2019 9:47 AM, 83100 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "jlnigffaoljhncojcdlahoabeafbabmd"="REG_SZ", "9B74AB9E810D2FD0B5F67E24FB2576241EB5007342B797D4AFCB043AB23EC8FA" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 9/26/19 Scan Time: 9:56 AM Log File: 25a9514a-e033-11e9-8c38-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.12655 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235265 Threats Detected: 30 Threats Quarantined: 30 Time Elapsed: 11 min, 25 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.UltraApps, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|jlnigffaoljhncojcdlahoabeafbabmd, Quarantined, [2475], [738739],1.0.12655 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 10 PUP.Optional.UltraApps, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd\1.0.3_0\browser_action\js, Quarantined, [2475], [738739],1.0.12655 PUP.Optional.UltraApps, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd\1.0.3_0\images\rateshare, Quarantined, [2475], [738739],1.0.12655 PUP.Optional.UltraApps, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd\1.0.3_0\browser_action, Quarantined, [2475], [738739],1.0.12655 PUP.Optional.UltraApps, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd\1.0.3_0\js\jquery, Quarantined, [2475], [738739],1.0.12655 PUP.Optional.UltraApps, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd\1.0.3_0\_metadata, Quarantined, [2475], [738739],1.0.12655 PUP.Optional.UltraApps, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd\1.0.3_0\images, Quarantined, [2475], [738739],1.0.12655 PUP.Optional.UltraApps, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd\1.0.3_0\icons, Quarantined, [2475], [738739],1.0.12655 PUP.Optional.UltraApps, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd\1.0.3_0\js, Quarantined, [2475], [738739],1.0.12655 PUP.Optional.UltraApps, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd\1.0.3_0, Quarantined, [2475], [738739],1.0.12655 PUP.Optional.UltraApps, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JLNIGFFAOLJHNCOJCDLAHOABEAFBABMD, Quarantined, [2475], [738739],1.0.12655 File: 19 PUP.Optional.UltraApps, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd\1.0.3_0\browser_action\js\main.js, Quarantined, [2475], [738739],1.0.12655 PUP.Optional.UltraApps, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd\1.0.3_0\browser_action\browser_action.html, Quarantined, [2475], [738739],1.0.12655 PUP.Optional.UltraApps, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd\1.0.3_0\icons\icon128.png, Quarantined, [2475], [738739],1.0.12655 PUP.Optional.UltraApps, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd\1.0.3_0\icons\icon16.png, Quarantined, [2475], [738739],1.0.12655 PUP.Optional.UltraApps, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd\1.0.3_0\icons\icon38.png, Quarantined, [2475], [738739],1.0.12655 PUP.Optional.UltraApps, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd\1.0.3_0\images\rateshare\close.png, Quarantined, [2475], [738739],1.0.12655 PUP.Optional.UltraApps, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd\1.0.3_0\images\rateshare\rate.jpg, Quarantined, [2475], [738739],1.0.12655 PUP.Optional.UltraApps, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd\1.0.3_0\images\rateshare\rate1.png, Quarantined, [2475], [738739],1.0.12655 PUP.Optional.UltraApps, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd\1.0.3_0\images\rateshare\share.jpg, Quarantined, [2475], [738739],1.0.12655 PUP.Optional.UltraApps, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd\1.0.3_0\images\rateshare\share1.png, Quarantined, [2475], [738739],1.0.12655 PUP.Optional.UltraApps, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd\1.0.3_0\images\icon128.png, Quarantined, [2475], [738739],1.0.12655 PUP.Optional.UltraApps, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd\1.0.3_0\js\jquery\jquery.min.js, Quarantined, [2475], [738739],1.0.12655 PUP.Optional.UltraApps, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd\1.0.3_0\js\rate.js, Quarantined, [2475], [738739],1.0.12655 PUP.Optional.UltraApps, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd\1.0.3_0\_metadata\computed_hashes.json, Quarantined, [2475], [738739],1.0.12655 PUP.Optional.UltraApps, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd\1.0.3_0\_metadata\verified_contents.json, Quarantined, [2475], [738739],1.0.12655 PUP.Optional.UltraApps, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd\1.0.3_0\background.js, Quarantined, [2475], [738739],1.0.12655 PUP.Optional.UltraApps, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnigffaoljhncojcdlahoabeafbabmd\1.0.3_0\manifest.json, Quarantined, [2475], [738739],1.0.12655 PUP.Optional.UltraApps, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [2475], [738739],1.0.12655 PUP.Optional.UltraApps, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [2475], [738739],1.0.12655 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  17. What is Genius App?The Malwarebytes research team has determined that Genius App is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Genius App?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this changed setting:How did Genius App get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Genius App?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Genius App? No, Malwarebytes removes Genius App completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Genius App hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://searchgeniusapp.com/results.php?p=9046&v=400&q={searchTerms}&source=default CHR DefaultSearchKeyword: Default -> sga CHR DefaultSuggestURL: Default -> hxxps://searchgeniusapp.com/gjson.php?q={searchTerms} CHR Extension: (Genius) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgdpnfipkbfehgjjdidiclaongaoakcg [2019-09-25] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgdpnfipkbfehgjjdidiclaongaoakcg\3.3_0 Adds the file background.js"="9/6/2019 6:19 PM, 7577 bytes, A Adds the file manifest.json"="9/25/2019 1:44 PM, 1624 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgdpnfipkbfehgjjdidiclaongaoakcg\3.3_0\_metadata Adds the file computed_hashes.json"="9/25/2019 1:44 PM, 404 bytes, A Adds the file verified_contents.json"="9/6/2019 6:19 PM, 1645 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgdpnfipkbfehgjjdidiclaongaoakcg\3.3_0\icons Adds the file icon128.png"="9/25/2019 1:44 PM, 2188 bytes, A Adds the file icon48.png"="9/25/2019 1:44 PM, 253 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dgdpnfipkbfehgjjdidiclaongaoakcg Adds the file 000003.log"="9/25/2019 1:44 PM, 76 bytes, A Adds the file CURRENT"="9/25/2019 1:44 PM, 16 bytes, A Adds the file LOCK"="9/25/2019 1:44 PM, 0 bytes, A Adds the file LOG"="9/25/2019 1:44 PM, 183 bytes, A Adds the file MANIFEST-000001"="9/25/2019 1:44 PM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_dgdpnfipkbfehgjjdidiclaongaoakcg Adds the file Genius App.ico"="9/25/2019 1:44 PM, 162813 bytes, A Adds the file Genius App.ico.md5"="9/25/2019 1:44 PM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "dgdpnfipkbfehgjjdidiclaongaoakcg"="REG_SZ", "5B3B6FE6B8DDA6CEEB75956F89AD252B17B38121A2606E708121E4AC1AF7A4F3" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 9/25/19 Scan Time: 1:55 PM Log File: 50202064-df8b-11e9-8255-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.12643 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235341 Threats Detected: 21 Threats Quarantined: 21 Time Elapsed: 8 min, 5 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|dgdpnfipkbfehgjjdidiclaongaoakcg, Quarantined, [376], [460702],1.0.12643 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 5 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\dgdpnfipkbfehgjjdidiclaongaoakcg, Quarantined, [376], [460702],1.0.12643 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgdpnfipkbfehgjjdidiclaongaoakcg\3.3_0\_metadata, Quarantined, [376], [460702],1.0.12643 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgdpnfipkbfehgjjdidiclaongaoakcg\3.3_0\icons, Quarantined, [376], [460702],1.0.12643 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgdpnfipkbfehgjjdidiclaongaoakcg\3.3_0, Quarantined, [376], [460702],1.0.12643 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DGDPNFIPKBFEHGJJDIDICLAONGAOAKCG, Quarantined, [376], [460702],1.0.12643 File: 15 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dgdpnfipkbfehgjjdidiclaongaoakcg\000003.log, Quarantined, [376], [460702],1.0.12643 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dgdpnfipkbfehgjjdidiclaongaoakcg\CURRENT, Quarantined, [376], [460702],1.0.12643 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dgdpnfipkbfehgjjdidiclaongaoakcg\LOCK, Quarantined, [376], [460702],1.0.12643 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dgdpnfipkbfehgjjdidiclaongaoakcg\LOG, Quarantined, [376], [460702],1.0.12643 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dgdpnfipkbfehgjjdidiclaongaoakcg\MANIFEST-000001, Quarantined, [376], [460702],1.0.12643 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [376], [460702],1.0.12643 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [376], [460702],1.0.12643 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DGDPNFIPKBFEHGJJDIDICLAONGAOAKCG\3.3_0\MANIFEST.JSON, Quarantined, [376], [460702],1.0.12643 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgdpnfipkbfehgjjdidiclaongaoakcg\3.3_0\icons\icon128.png, Quarantined, [376], [460702],1.0.12643 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgdpnfipkbfehgjjdidiclaongaoakcg\3.3_0\icons\icon48.png, Quarantined, [376], [460702],1.0.12643 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgdpnfipkbfehgjjdidiclaongaoakcg\3.3_0\_metadata\computed_hashes.json, Quarantined, [376], [460702],1.0.12643 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgdpnfipkbfehgjjdidiclaongaoakcg\3.3_0\_metadata\verified_contents.json, Quarantined, [376], [460702],1.0.12643 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgdpnfipkbfehgjjdidiclaongaoakcg\3.3_0\background.js, Quarantined, [376], [460702],1.0.12643 PUP.Optional.GeniusSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [379], [728121],1.0.12643 PUP.Optional.GeniusSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [379], [728121],1.0.12643 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  18. What is Search by Streaming?The Malwarebytes research team has determined that Search by Streaming is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Search by Streaming?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and this changed setting:How did Search by Streaming get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website.How do I remove Search by Streaming?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Search by Streaming? No, Malwarebytes removes Search by Streaming completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Search by Streaming hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.streaming-time.com/?q={searchTerms}&publisher=streaming-timeds&barcodeid=562130000000000 CHR DefaultSearchKeyword: Default -> StreamingTime CHR DefaultSuggestURL: Default -> hxxps://api.streaming-time.com/suggest/get?q={searchTerms} CHR Extension: (StreamingTime) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plfhcpepefdjhcemepdcooejceicigpm [2019-09-24] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plfhcpepefdjhcemepdcooejceicigpm\3.0.2_0 Adds the file manifest.json"="9/24/2019 8:37 AM, 2130 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plfhcpepefdjhcemepdcooejceicigpm\3.0.2_0\_metadata Adds the file computed_hashes.json"="9/24/2019 8:37 AM, 6088 bytes, A Adds the file verified_contents.json"="9/20/2019 2:57 PM, 1921 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plfhcpepefdjhcemepdcooejceicigpm\3.0.2_0\images\icons Adds the file 128x128.png"="9/24/2019 8:37 AM, 3188 bytes, A Adds the file 16x16.png"="9/24/2019 8:37 AM, 423 bytes, A Adds the file 64x64.png"="9/24/2019 8:37 AM, 1538 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plfhcpepefdjhcemepdcooejceicigpm\3.0.2_0\scripts Adds the file background.js"="9/20/2019 2:57 PM, 511705 bytes, A Adds the file sitecontent.js"="9/20/2019 2:57 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_plfhcpepefdjhcemepdcooejceicigpm Adds the file Search by Streaming Time.ico"="9/24/2019 8:37 AM, 171708 bytes, A Adds the file Search by Streaming Time.ico.md5"="9/24/2019 8:37 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "plfhcpepefdjhcemepdcooejceicigpm"="REG_SZ", "341677CC70AD9E67F5E0242D440BC607106F39145F335D1A7438A4EB6DB67059" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 9/24/19 Scan Time: 8:54 AM Log File: 2aeaa8b2-de98-11e9-b695-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.12623 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235343 Threats Detected: 19 Threats Quarantined: 19 Time Elapsed: 12 min, 0 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.ExtensionClicks, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|plfhcpepefdjhcemepdcooejceicigpm, Quarantined, [267], [515054],1.0.12623 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 6 PUP.Optional.ExtensionClicks, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plfhcpepefdjhcemepdcooejceicigpm\3.0.2_0\images\icons, Quarantined, [267], [515054],1.0.12623 PUP.Optional.ExtensionClicks, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plfhcpepefdjhcemepdcooejceicigpm\3.0.2_0\_metadata, Quarantined, [267], [515054],1.0.12623 PUP.Optional.ExtensionClicks, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plfhcpepefdjhcemepdcooejceicigpm\3.0.2_0\scripts, Quarantined, [267], [515054],1.0.12623 PUP.Optional.ExtensionClicks, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plfhcpepefdjhcemepdcooejceicigpm\3.0.2_0\images, Quarantined, [267], [515054],1.0.12623 PUP.Optional.ExtensionClicks, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plfhcpepefdjhcemepdcooejceicigpm\3.0.2_0, Quarantined, [267], [515054],1.0.12623 PUP.Optional.ExtensionClicks, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PLFHCPEPEFDJHCEMEPDCOOEJCEICIGPM, Quarantined, [267], [515054],1.0.12623 File: 12 PUP.Optional.ExtensionClicks, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [267], [515054],1.0.12623 PUP.Optional.ExtensionClicks, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [267], [515054],1.0.12623 PUP.Optional.ExtensionClicks, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PLFHCPEPEFDJHCEMEPDCOOEJCEICIGPM\3.0.2_0\MANIFEST.JSON, Quarantined, [267], [515054],1.0.12623 PUP.Optional.ExtensionClicks, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plfhcpepefdjhcemepdcooejceicigpm\3.0.2_0\images\icons\128x128.png, Quarantined, [267], [515054],1.0.12623 PUP.Optional.ExtensionClicks, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plfhcpepefdjhcemepdcooejceicigpm\3.0.2_0\images\icons\16x16.png, Quarantined, [267], [515054],1.0.12623 PUP.Optional.ExtensionClicks, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plfhcpepefdjhcemepdcooejceicigpm\3.0.2_0\images\icons\64x64.png, Quarantined, [267], [515054],1.0.12623 PUP.Optional.ExtensionClicks, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plfhcpepefdjhcemepdcooejceicigpm\3.0.2_0\scripts\background.js, Quarantined, [267], [515054],1.0.12623 PUP.Optional.ExtensionClicks, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plfhcpepefdjhcemepdcooejceicigpm\3.0.2_0\scripts\sitecontent.js, Quarantined, [267], [515054],1.0.12623 PUP.Optional.ExtensionClicks, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plfhcpepefdjhcemepdcooejceicigpm\3.0.2_0\_metadata\computed_hashes.json, Quarantined, [267], [515054],1.0.12623 PUP.Optional.ExtensionClicks, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plfhcpepefdjhcemepdcooejceicigpm\3.0.2_0\_metadata\verified_contents.json, Quarantined, [267], [515054],1.0.12623 PUP.Optional.ExtensionClicks, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [267], [515055],1.0.12623 PUP.Optional.ExtensionClicks, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [267], [515055],1.0.12623 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  19. What is Clusite?The Malwarebytes research team has determined that Clusite is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one redirects searches from the major search providers.How do I know if my computer is affected by Clusite?You may see this entry in your list of installed Chrome extensions:and these warnings during install:How did Clusite get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:which we've also seen in this version:How do I remove Clusite?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Clusite? No, Malwarebytes removes Clusite completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard would have protected you against the Clusite hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR Extension: (Clusite) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hmgdcjfpgkfpgggpjbjkgdcpkdgckoii [2019-09-23] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hmgdcjfpgkfpgggpjbjkgdcpkdgckoii\2.2.5_0 Adds the file background.js"="9/22/2019 1:13 PM, 6193 bytes, A Adds the file manifest.json"="9/23/2019 8:55 AM, 1726 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hmgdcjfpgkfpgggpjbjkgdcpkdgckoii\2.2.5_0\_metadata Adds the file computed_hashes.json"="9/23/2019 8:55 AM, 404 bytes, A Adds the file verified_contents.json"="9/22/2019 1:13 PM, 1648 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hmgdcjfpgkfpgggpjbjkgdcpkdgckoii\2.2.5_0\icons Adds the file icon128.png"="9/23/2019 8:55 AM, 2188 bytes, A Adds the file icon48.png"="9/23/2019 8:55 AM, 253 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hmgdcjfpgkfpgggpjbjkgdcpkdgckoii Adds the file 000003.log"="9/23/2019 8:57 AM, 116 bytes, A Adds the file CURRENT"="9/23/2019 8:55 AM, 16 bytes, A Adds the file LOCK"="9/23/2019 8:55 AM, 0 bytes, A Adds the file LOG"="9/23/2019 8:56 AM, 184 bytes, A Adds the file MANIFEST-000001"="9/23/2019 8:55 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "hmgdcjfpgkfpgggpjbjkgdcpkdgckoii"="REG_SZ", "2BDFEB7B44B38757FF1EF36E696952D52A2673E11DB6D9A001CB281880B8678B" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 9/23/19 Scan Time: 9:05 AM Log File: 96475f24-ddd0-11e9-b0c0-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.12605 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235665 Threats Detected: 19 Threats Quarantined: 19 Time Elapsed: 6 min, 18 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.UniqSearch, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|hmgdcjfpgkfpgggpjbjkgdcpkdgckoii, Quarantined, [14776], [721972],1.0.12605 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 5 PUP.Optional.UniqSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\hmgdcjfpgkfpgggpjbjkgdcpkdgckoii, Quarantined, [14776], [721972],1.0.12605 PUP.Optional.UniqSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hmgdcjfpgkfpgggpjbjkgdcpkdgckoii\2.2.5_0\_metadata, Quarantined, [14776], [721972],1.0.12605 PUP.Optional.UniqSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hmgdcjfpgkfpgggpjbjkgdcpkdgckoii\2.2.5_0\icons, Quarantined, [14776], [721972],1.0.12605 PUP.Optional.UniqSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hmgdcjfpgkfpgggpjbjkgdcpkdgckoii\2.2.5_0, Quarantined, [14776], [721972],1.0.12605 PUP.Optional.UniqSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HMGDCJFPGKFPGGGPJBJKGDCPKDGCKOII, Quarantined, [14776], [721972],1.0.12605 File: 13 PUP.Optional.UniqSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hmgdcjfpgkfpgggpjbjkgdcpkdgckoii\000003.log, Quarantined, [14776], [721972],1.0.12605 PUP.Optional.UniqSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hmgdcjfpgkfpgggpjbjkgdcpkdgckoii\CURRENT, Quarantined, [14776], [721972],1.0.12605 PUP.Optional.UniqSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hmgdcjfpgkfpgggpjbjkgdcpkdgckoii\LOCK, Quarantined, [14776], [721972],1.0.12605 PUP.Optional.UniqSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hmgdcjfpgkfpgggpjbjkgdcpkdgckoii\LOG, Quarantined, [14776], [721972],1.0.12605 PUP.Optional.UniqSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hmgdcjfpgkfpgggpjbjkgdcpkdgckoii\MANIFEST-000001, Quarantined, [14776], [721972],1.0.12605 PUP.Optional.UniqSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [14776], [721972],1.0.12605 PUP.Optional.UniqSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [14776], [721972],1.0.12605 PUP.Optional.UniqSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HMGDCJFPGKFPGGGPJBJKGDCPKDGCKOII\2.2.5_0\MANIFEST.JSON, Quarantined, [14776], [721972],1.0.12605 PUP.Optional.UniqSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hmgdcjfpgkfpgggpjbjkgdcpkdgckoii\2.2.5_0\icons\icon128.png, Quarantined, [14776], [721972],1.0.12605 PUP.Optional.UniqSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hmgdcjfpgkfpgggpjbjkgdcpkdgckoii\2.2.5_0\icons\icon48.png, Quarantined, [14776], [721972],1.0.12605 PUP.Optional.UniqSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hmgdcjfpgkfpgggpjbjkgdcpkdgckoii\2.2.5_0\_metadata\computed_hashes.json, Quarantined, [14776], [721972],1.0.12605 PUP.Optional.UniqSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hmgdcjfpgkfpgggpjbjkgdcpkdgckoii\2.2.5_0\_metadata\verified_contents.json, Quarantined, [14776], [721972],1.0.12605 PUP.Optional.UniqSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hmgdcjfpgkfpgggpjbjkgdcpkdgckoii\2.2.5_0\background.js, Quarantined, [14776], [721972],1.0.12605 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  20. In July 2018, we introduced the Malwarebytes Browser Extension, a beta plugin for Firefox and Chrome aimed at delivering a safer, faster, and more private browsing experience. Our extension blocked tech support scams, hijackers, pop-up ads, trackers, and more to keep users secure and free from online harassment. And thanks to our loyal Malwarebytes community, we’ve been able to test and improve on this beta for more than a year. We’re pleased to release the full version, named Malwarebytes Browser Guard, which is now available in the Chrome and Firefox web stores. In this post, we’ll cover the features included in Browser Guard, its main functionality, how to whitelist preferred websites, and the difference between our extension and flagship PC and Mac software, Malwarebytes for Windows and Malwarebytes for Mac. What does Browser Guard do? Browser Guard, a free extension, blocks unwanted ads and trackers that intrude upon users’ privacy, while also protecting against clickbait and scams. The extension prevents browser hijackers, lockers, and annoying and sometimes malicious pop-ups, all known scare tactics to trap consumers in tech support scams, exposing them to unwanted content and forcing them into purchasing unnecessary, expensive technical support. Recent independent tests from AV Lab recently recognized Malwarebytes Browser Guard for having the best protection among competitive browser security offerings, blocking 98.07 percent of malware. What’s new in Browser Guard? After continuous testing of functionality with thousands of users for more than a year, the most prominent change we made from beta to final release is to the graphical user interface (GUI). While people were happy with the way the beta worked, many wished for more granular control in the settings, as well as more elaborate statistics on blocked ads, malware, scams and other items. I have Malwarebytes Premium. Do I still need Browser Guard? Browser Guard does have extra protection features, as well as benefits for privacy, including ad and tracker blocking. And of course, Malwarebytes Premium versions have anti-exploit technology, real-time malware protection, anti-ransomware, and stalkerware protections that Browser Guard does not. Where the web blocking module of Malwarebytes Premium and Browser Guard share a database of blocked IPs and domain, there is an overlap. Looking at Malwarebytes Premium, it blocks the IPs and domains for all running applications, where Browser Guard does this only for the browser the extension is installed on. On the other hand, Browser Guard blocks more than just domains and IP addresses. Not only does it recognize malicious websites based on their behavior that are not in the database (yet), it also blocks advertisements and trackers. These are not always malicious, but they usually do not improve user experience and blocking them can speed up your browsing up to four times. This gif shows a site before and after enabling Browser Guard and how much it blocked False positives Behavioral detection is prone to false positives. Of course, we do our utmost to avoid them as much as we can, but they can’t be totally avoided. Luckily, the worst that can happen is that you will be initially denied access to a website that turns out to be harmless. But that doesn’t mean you’re blocked for good. When you are sure the website is harmless, you can change the settings in Browser Guard to allow that specific site. That way, you can grant yourself access to the site without having to lower your global settings. Where some programs would require you to disable protection or lose your protection completely, our extension allows you to change site-specific settings without making your browser vulnerable on other sites. Whitelisting items for a website In Browser Guard, you can allow specific items by excluding them from certain types of protection and adding them to the “Allow list.” Here’s how to do it: In the Browser Guard GUI, click the hamburger menu icon (the three vertical dots next to the gear icon). In the dropdown menu, click Allow list. Here you can specify the site(s) that the exception will apply to in the form of a URL or an IP address. And you can choose the types of protection that you wish to disable for the site(s). These types are Ads/Trackers, Malware, Scams, and PUPs. Then click Done to confirm the exclusion. Browser Guard blocks items on Malwarebytes’ own website. How come? We do not discriminate between trackers and websites. Our own Malwarebytes website uses trackers to monitor how readers engage so that we can offer better content, design, and functionality. We do not gather any personal information. But they are trackers, nonetheless, and if you don’t want them, we feel you should have the power to disable them everywhere, even on our own website. No discrimination also means we do not take money from advertisers to allow their advertisements, like some other ad-blockers have been known to do. Permissions Malwarebytes Browser Guard needs to be able to read and change data on the websites you visit so it can remove advertisements and other unwanted elements. It also needs to be able to manage your downloads to protect you from downloading dangerous files on your system. The Chrome installer prompt also mentions that our extension can “Communicate with cooperating websites.” What does that mean? Certain sites use ad-serving techniques that are intrusive in nature, so when we block ads on those sites, it breaks the user experience. The permission “Communicate with cooperating websites” allows Browser Guard to work with sites to interactively block ads without affecting any content. This provides a better user experience than could be achieved without communication. Browser Guard use case Magecart is a group that specializes in stealing credit card information using a technique that is called skimming. They basically intercept traffic from payment sites to exfiltrate credit card information. Below you can see how Browser Guard can protect your information on a site that has been infiltrated by Magecart. Support If you need help or guidance for the install or settings of Malwarebytes Browser Guard, we are happy to refer you to our online support guide. Happy surfing, everyone!
  21. In July 2018, we introduced the Malwarebytes Browser Extension, a beta plugin for Firefox and Chrome aimed at delivering a safer, faster, and more private browsing experience. Our extension blocked tech support scams, hijackers, pop-up ads, trackers, and more to keep users secure and free from online harassment. And thanks to our loyal Malwarebytes community, we’ve been able to test and improve on this beta for more than a year. We’re pleased to release the full version, named Malwarebytes Browser Guard, which is now available in the Chrome and Firefox web stores. In this post, we’ll cover the features included in Browser Guard, its main functionality, how to whitelist preferred websites, and the difference between our extension and flagship PC and Mac software, Malwarebytes for Windows and Malwarebytes for Mac. What does Browser Guard do? Browser Guard, a free extension, blocks unwanted ads and trackers that intrude upon users’ privacy, while also protecting against clickbait and scams. The extension prevents browser hijackers, lockers, and annoying and sometimes malicious pop-ups, all known scare tactics to trap consumers in tech support scams, exposing them to unwanted content and forcing them into purchasing unnecessary, expensive technical support. Recent independent tests from AV Lab recently recognized Malwarebytes Browser Guard for having the best protection among competitive browser security offerings, blocking 98.07 percent of malware. What’s new in Browser Guard? After continuous testing of functionality with thousands of users for more than a year, the most prominent change we made from beta to final release is to the graphical user interface (GUI). While people were happy with the way the beta worked, many wished for more granular control in the settings, as well as more elaborate statistics on blocked ads, malware, scams and other items. I have Malwarebytes Premium. Do I still need Browser Guard? Browser Guard does have extra protection features, as well as benefits for privacy, including ad and tracker blocking. And of course, Malwarebytes Premium versions have anti-exploit technology, real-time malware protection, anti-ransomware, and stalkerware protections that Browser Guard does not. Where the web blocking module of Malwarebytes Premium and Browser Guard share a database of blocked IPs and domain, there is an overlap. Looking at Malwarebytes Premium, it blocks the IPs and domains for all running applications, where Browser Guard does this only for the browser the extension is installed on. On the other hand, Browser Guard blocks more than just domains and IP addresses. Not only does it recognize malicious websites based on their behavior that are not in the database (yet), it also blocks advertisements and trackers. These are not always malicious, but they usually do not improve user experience and blocking them can speed up your browsing up to four times. This gif shows a site before and after enabling Browser Guard and how much it blocked False positives Behavioral detection is prone to false positives. Of course, we do our utmost to avoid them as much as we can, but they can’t be totally avoided. Luckily, the worst that can happen is that you will be initially denied access to a website that turns out to be harmless. But that doesn’t mean you’re blocked for good. When you are sure the website is harmless, you can change the settings in Browser Guard to allow that specific site. That way, you can grant yourself access to the site without having to lower your global settings. Where some programs would require you to disable protection or lose your protection completely, our extension allows you to change site-specific settings without making your browser vulnerable on other sites. Whitelisting items for a website In Browser Guard, you can allow specific items by excluding them from certain types of protection and adding them to the “Allow list.” Here’s how to do it: In the Browser Guard GUI, click the hamburger menu icon (the three vertical dots next to the gear icon). In the dropdown menu, click Allow list. Here you can specify the site(s) that the exception will apply to in the form of a URL or an IP address. And you can choose the types of protection that you wish to disable for the site(s). These types are Ads/Trackers, Malware, Scams, and PUPs. Then click Done to confirm the exclusion. Browser Guard blocks items on Malwarebytes’ own website. How come? We do not discriminate between trackers and websites. Our own Malwarebytes website uses trackers to monitor how readers engage so that we can offer better content, design, and functionality. We do not gather any personal information. But they are trackers, nonetheless, and if you don’t want them, we feel you should have the power to disable them everywhere, even on our own website. No discrimination also means we do not take money from advertisers to allow their advertisements, like some other ad-blockers have been known to do. Permissions Malwarebytes Browser Guard needs to be able to read and change data on the websites you visit so it can remove advertisements and other unwanted elements. It also needs to be able to manage your downloads to protect you from downloading dangerous files on your system. The Chrome installer prompt also mentions that our extension can “Communicate with cooperating websites.” What does that mean? Certain sites use ad-serving techniques that are intrusive in nature, so when we block ads on those sites, it breaks the user experience. The permission “Communicate with cooperating websites” allows Browser Guard to work with sites to interactively block ads without affecting any content. This provides a better user experience than could be achieved without communication. Browser Guard use case Magecart is a group that specializes in stealing credit card information using a technique that is called skimming. They basically intercept traffic from payment sites to exfiltrate credit card information. Below you can see how Browser Guard can protect your information on a site that has been infiltrated by Magecart. Support If you need help or guidance for the install or settings of Malwarebytes Browser Guard, we are happy to refer you to our online support guide. Happy surfing, everyone!
  22. What is CinematicFanatic?The Malwarebytes research team has determined that CinematicFanatic is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.CinematicFanatic is a member of the Mindspark/Ask family now known as IAC Applications.How do I know if my computer is affected by CinematicFanatic?You may see these browser extensions/add-ons:these warnings during install:You may see this entry in your list of installed software:this icon in the menubar of affected browsers:and this new homepage in the affected browsers:How did CinematicFanatic get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website.How do I remove CinematicFanatic?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of CinematicFanatic? No, Malwarebytes' Anti-Malware removes CinematicFanatic completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the CinematicFanatic hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/cinematicfanatic/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid} FF HomepageOverride: Mozilla\Firefox\Profiles\{profile}.default -> Enabled: _i9Members_@free.cinematicfanatic.com FF NewTabOverride: Mozilla\Firefox\Profiles\{profile}.default -> Enabled: _i9Members_@free.cinematicfanatic.com FF Extension: (CinematicFanatic) - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_i9Members_@free.cinematicfanatic.com.xpi [2019-09-20] [UpdateUrl:hxxps:\/\/updates.tb.ask.com\/updateXpi.json?id=230708697&version=8.914.16.6962&track=TTAB02&trackRevision=1&fromId=_i9Members_%40free.cinematicfanatic.com&isBridgeExtension=false] CHR NewTab: Default -> Active:"chrome-extension://gnkmabogpoolndcfgdpifkclkadaloak/ntp.html" CHR Extension: (CinematicFanatic) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak [2019-09-20] C:\Users\{username}\AppData\Local\CinematicFanaticTooltab CinematicFanatic Internet Explorer Homepage and New Tab (HKCU\...\CinematicFanaticTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\CinematicFanaticTooltab Adds the file TooltabExtension.dll"="8/7/2019 10:19 PM, 273008 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0 Adds the file manifest.json"="9/20/2019 10:37 AM, 2659 bytes, A Adds the file ntp.html"="7/3/2019 10:17 AM, 1423 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\_locales\en Adds the file messages.json"="9/20/2019 10:37 AM, 258 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\_metadata Adds the file computed_hashes.json"="9/20/2019 10:37 AM, 5503 bytes, A Adds the file verified_contents.json"="7/3/2019 10:17 AM, 5999 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\config Adds the file config.json"="7/3/2019 10:17 AM, 1574 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\icons Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\js Adds the file ajax.js"="7/3/2019 10:17 AM, 3263 bytes, A Adds the file babAPI.js"="7/3/2019 10:17 AM, 5703 bytes, A Adds the file babClickHandler.js"="7/3/2019 10:17 AM, 11430 bytes, A Adds the file babContentScript.js"="7/3/2019 10:17 AM, 3749 bytes, A Adds the file babContentScriptAPI.js"="7/3/2019 10:17 AM, 9842 bytes, A Adds the file background.js"="7/3/2019 10:17 AM, 18011 bytes, A Adds the file browserUtils.js"="7/3/2019 10:17 AM, 1536 bytes, A Adds the file chrome.js"="7/3/2019 10:17 AM, 146 bytes, A Adds the file contentScriptConnectionManager.js"="7/3/2019 10:17 AM, 22629 bytes, A Adds the file dateTimeUtils.js"="7/3/2019 10:17 AM, 1213 bytes, A Adds the file dlp.js"="7/3/2019 10:17 AM, 5783 bytes, A Adds the file dlpHelper.js"="7/3/2019 10:17 AM, 1835 bytes, A Adds the file extensionDetect.js"="7/3/2019 10:17 AM, 4354 bytes, A Adds the file index.js"="7/3/2019 10:17 AM, 49 bytes, A Adds the file localStorageContentScript.js"="7/3/2019 10:17 AM, 2236 bytes, A Adds the file logger.js"="7/3/2019 10:17 AM, 531 bytes, A Adds the file meta.js"="7/3/2019 10:17 AM, 1631 bytes, A Adds the file offerService.js"="7/3/2019 10:17 AM, 16953 bytes, A Adds the file pageUtils.js"="7/3/2019 10:17 AM, 3154 bytes, A Adds the file PartnerId.js"="7/3/2019 10:17 AM, 16402 bytes, A Adds the file polyfill.js"="7/3/2019 10:17 AM, 875 bytes, A Adds the file product.js"="7/3/2019 10:17 AM, 7837 bytes, A Adds the file remoteConfigLoader.js"="7/3/2019 10:17 AM, 5053 bytes, A Adds the file splashPageRedirectHandler.js"="7/3/2019 10:17 AM, 2821 bytes, A Adds the file storageUtils.js"="7/3/2019 10:17 AM, 1718 bytes, A Adds the file TemplateParser.js"="7/3/2019 10:17 AM, 3153 bytes, A Adds the file ul.js"="7/3/2019 10:17 AM, 3969 bytes, A Adds the file urlFragmentActions.js"="7/3/2019 10:17 AM, 2450 bytes, A Adds the file urlUtils.js"="7/3/2019 10:17 AM, 5906 bytes, A Adds the file util.js"="7/3/2019 10:17 AM, 2779 bytes, A Adds the file webtooltabAPI.js"="7/3/2019 10:17 AM, 9768 bytes, A Adds the file webTooltabAPIProxy.js"="7/3/2019 10:17 AM, 8765 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gnkmabogpoolndcfgdpifkclkadaloak Adds the file 000003.log"="9/20/2019 10:37 AM, 4512 bytes, A Adds the file CURRENT"="9/20/2019 10:37 AM, 16 bytes, A Adds the file LOCK"="9/20/2019 10:37 AM, 0 bytes, A Adds the file LOG"="9/20/2019 10:37 AM, 185 bytes, A Adds the file MANIFEST-000001"="9/20/2019 10:37 AM, 41 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _i9Members_@free.cinematicfanatic.com.xpi"="9/20/2019 10:41 AM, 94715 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\CinematicFanatic] "Start Page"="REG_SZ", "http://hp.myway.com/cinematicfanatic/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "https://@{downloadDomain}.dl.myway.com/uninstall.jhtml?c={ptb}&ptb={p2}" [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "gnkmabogpoolndcfgdpifkclkadaloak"="REG_SZ", "E4DEF626C7099A555C6ED1EAC7FCB19196FBBE83EB172E4CD97F87D8D6B6AFFF" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://hp.myway.com/cinematicfanatic/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\CinematicFanaticTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "CinematicFanatic Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\CinematicFanaticTooltab\TooltabExtension.dll" U uninstall:CinematicFanatic" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 9/20/19 Scan Time: 11:07 AM Log File: 1de7ed1a-db86-11e9-87eb-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.12571 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235748 Threats Detected: 71 Threats Quarantined: 71 Time Elapsed: 11 min, 6 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\CinematicFanaticTooltab\TooltabExtension.dll, Quarantined, [1779], [356944],1.0.12571 Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CinematicFanaticTooltab Uninstall Internet Explorer, Quarantined, [1779], [356944],1.0.12571 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\CinematicFanatic, Quarantined, [1779], [444113],1.0.12571 Registry Value: 3 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CinematicFanaticTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, [650], [352442],1.0.12571 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\CinematicFanatic|START PAGE, Quarantined, [1779], [444113],1.0.12571 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|gnkmabogpoolndcfgdpifkclkadaloak, Quarantined, [1779], [443121],1.0.12571 Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [650], [293497],1.0.12571 Data Stream: 0 (No malicious items detected) Folder: 10 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\CinematicFanaticTooltab, Quarantined, [1779], [356944],1.0.12571 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\gnkmabogpoolndcfgdpifkclkadaloak, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\_locales\en, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\_metadata, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\_locales, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\config, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\icons, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\js, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GNKMABOGPOOLNDCFGDPIFKCLKADALOAK, Quarantined, [1779], [443121],1.0.12571 File: 54 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\CinematicFanaticTooltab\TooltabExtension.dll, Quarantined, [1779], [356944],1.0.12571 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\_i9Members_@free.cinematicfanatic.com.xpi, Quarantined, [1779], [457930],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gnkmabogpoolndcfgdpifkclkadaloak\000003.log, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gnkmabogpoolndcfgdpifkclkadaloak\CURRENT, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gnkmabogpoolndcfgdpifkclkadaloak\LOCK, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gnkmabogpoolndcfgdpifkclkadaloak\LOG, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gnkmabogpoolndcfgdpifkclkadaloak\MANIFEST-000001, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GNKMABOGPOOLNDCFGDPIFKCLKADALOAK\13.882.15.56001_0\MANIFEST.JSON, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\config\config.json, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\icons\icon128.png, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\icons\icon16.png, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\icons\icon19disabled.png, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\icons\icon19on.png, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\icons\icon48.png, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\js\localStorageContentScript.js, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\js\ajax.js, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\js\babAPI.js, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\js\babClickHandler.js, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\js\babContentScript.js, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\js\babContentScriptAPI.js, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\js\background.js, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\js\browserUtils.js, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\js\chrome.js, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\js\contentScriptConnectionManager.js, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\js\dateTimeUtils.js, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\js\dlp.js, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\js\dlpHelper.js, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\js\extensionDetect.js, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\js\index.js, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\js\logger.js, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\js\meta.js, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\js\offerService.js, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\js\pageUtils.js, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\js\PartnerId.js, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\js\polyfill.js, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\js\product.js, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\js\remoteConfigLoader.js, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\js\splashPageRedirectHandler.js, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\js\storageUtils.js, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\js\TemplateParser.js, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\js\ul.js, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\js\urlFragmentActions.js, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\js\urlUtils.js, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\js\util.js, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\js\webtooltabAPI.js, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\js\webTooltabAPIProxy.js, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\_locales\en\messages.json, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\_metadata\computed_hashes.json, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\_metadata\verified_contents.json, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnkmabogpoolndcfgdpifkclkadaloak\13.882.15.56001_0\ntp.html, Quarantined, [1779], [443121],1.0.12571 PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\CINEMATICFANATIC.EXE, Quarantined, [650], [365288],1.0.12571 PUP.Optional.MindSpark, C:\USERS\{username}\DOWNLOADS\CINEMATICFANATIC.85F6F6FAD0EE4BED8FDE821A75B01431.EXE, Quarantined, [650], [365288],1.0.12571 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  23. What is iSportTV Search Plus?The Malwarebytes research team has determined that iSportTV Search Plus is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by iSportTV Search Plus?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and this changed setting:How did iSportTV Search Plus get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:How do I remove iSportTV Search Plus?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of iSportTV Search Plus? No, Malwarebytes removes iSportTV Search Plus completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the iSportTV Search Plus hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxp://sport.searchalgo.com/go/?category=web&s=itdp&vert=sporttv&var=plus&q={searchTerms} CHR DefaultSearchKeyword: Default -> iSportTV Search Plus CHR DefaultSuggestURL: Default -> hxxp://sug.searchalgo.com/search/index_sg.php?q={searchTerms} CHR Extension: (iSportTV Search Plus) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofhbiojecnjgmhlfihgdmcihinliepao [2019-09-19] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofhbiojecnjgmhlfihgdmcihinliepao\1.0.1_0 Adds the file background.js"="5/7/2017 2:12 PM, 8767 bytes, A Adds the file manifest.json"="9/19/2019 10:57 AM, 2143 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofhbiojecnjgmhlfihgdmcihinliepao\1.0.1_0\_metadata Adds the file computed_hashes.json"="9/19/2019 10:57 AM, 6251 bytes, A Adds the file verified_contents.json"="5/7/2017 2:10 PM, 3041 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofhbiojecnjgmhlfihgdmcihinliepao\1.0.1_0\icons Adds the file 38.png"="9/19/2019 10:57 AM, 1886 bytes, A Adds the file icon128.png"="9/19/2019 10:57 AM, 7096 bytes, A Adds the file icon16.png"="9/19/2019 10:57 AM, 599 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofhbiojecnjgmhlfihgdmcihinliepao\1.0.1_0\images Adds the file search.jpg"="9/21/2016 2:09 PM, 162449 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofhbiojecnjgmhlfihgdmcihinliepao\1.0.1_0\Plus Adds the file index.html"="5/7/2017 2:11 PM, 3201 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofhbiojecnjgmhlfihgdmcihinliepao\1.0.1_0\Plus\css Adds the file style.css"="9/21/2016 2:09 PM, 3941 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofhbiojecnjgmhlfihgdmcihinliepao\1.0.1_0\Plus\img Adds the file 38.png"="9/21/2016 2:09 PM, 16825 bytes, A Adds the file close.png"="9/21/2016 2:09 PM, 1109 bytes, A Adds the file dislike.png"="9/21/2016 2:09 PM, 1151 bytes, A Adds the file like.png"="9/21/2016 2:09 PM, 1108 bytes, A Adds the file search.jpg"="9/21/2016 2:09 PM, 162449 bytes, A Adds the file share.png"="9/21/2016 2:09 PM, 1170 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofhbiojecnjgmhlfihgdmcihinliepao\1.0.1_0\Plus\js Adds the file jquery.min.js"="9/21/2016 2:09 PM, 85660 bytes, A Adds the file main.js"="5/7/2017 2:12 PM, 3652 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ofhbiojecnjgmhlfihgdmcihinliepao"="REG_SZ", "46418ED7A27CF56D733353C8298B6983C29905695F9439029FC6B5B2CC566F07" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 9/19/19 Scan Time: 11:08 AM Log File: 12427c4c-dabd-11e9-9a92-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.12555 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: METALLICA-PC\Metallica -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235654 Threats Detected: 32 Threats Quarantined: 32 Time Elapsed: 11 min, 43 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.IEnjoyApps.Generic, HKU\S-1-5-21-1350903546-318028887-1286703239-1003\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ofhbiojecnjgmhlfihgdmcihinliepao, Quarantined, [14692], [443085],1.0.12555 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 9 PUP.Optional.IEnjoyApps.Generic, C:\Users\Metallica\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofhbiojecnjgmhlfihgdmcihinliepao\1.0.1_0\_metadata, Quarantined, [14692], [443085],1.0.12555 PUP.Optional.IEnjoyApps.Generic, C:\Users\Metallica\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofhbiojecnjgmhlfihgdmcihinliepao\1.0.1_0\Plus\css, Quarantined, [14692], [443085],1.0.12555 PUP.Optional.IEnjoyApps.Generic, C:\Users\Metallica\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofhbiojecnjgmhlfihgdmcihinliepao\1.0.1_0\Plus\img, Quarantined, [14692], [443085],1.0.12555 PUP.Optional.IEnjoyApps.Generic, C:\Users\Metallica\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofhbiojecnjgmhlfihgdmcihinliepao\1.0.1_0\Plus\js, Quarantined, [14692], [443085],1.0.12555 PUP.Optional.IEnjoyApps.Generic, C:\Users\Metallica\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofhbiojecnjgmhlfihgdmcihinliepao\1.0.1_0\images, Quarantined, [14692], [443085],1.0.12555 PUP.Optional.IEnjoyApps.Generic, C:\Users\Metallica\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofhbiojecnjgmhlfihgdmcihinliepao\1.0.1_0\icons, Quarantined, [14692], [443085],1.0.12555 PUP.Optional.IEnjoyApps.Generic, C:\Users\Metallica\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofhbiojecnjgmhlfihgdmcihinliepao\1.0.1_0\Plus, Quarantined, [14692], [443085],1.0.12555 PUP.Optional.IEnjoyApps.Generic, C:\Users\Metallica\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofhbiojecnjgmhlfihgdmcihinliepao\1.0.1_0, Quarantined, [14692], [443085],1.0.12555 PUP.Optional.IEnjoyApps.Generic, C:\USERS\METALLICA\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\OFHBIOJECNJGMHLFIHGDMCIHINLIEPAO, Quarantined, [14692], [443085],1.0.12555 File: 22 PUP.Optional.IEnjoyApps.Generic, C:\USERS\METALLICA\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [14692], [443085],1.0.12555 PUP.Optional.IEnjoyApps.Generic, C:\USERS\METALLICA\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [14692], [443085],1.0.12555 PUP.Optional.IEnjoyApps.Generic, C:\USERS\METALLICA\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\OFHBIOJECNJGMHLFIHGDMCIHINLIEPAO\1.0.1_0\MANIFEST.JSON, Quarantined, [14692], [443085],1.0.12555 PUP.Optional.IEnjoyApps.Generic, C:\Users\Metallica\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofhbiojecnjgmhlfihgdmcihinliepao\1.0.1_0\icons\38.png, Quarantined, [14692], [443085],1.0.12555 PUP.Optional.IEnjoyApps.Generic, C:\Users\Metallica\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofhbiojecnjgmhlfihgdmcihinliepao\1.0.1_0\icons\icon128.png, Quarantined, [14692], [443085],1.0.12555 PUP.Optional.IEnjoyApps.Generic, C:\Users\Metallica\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofhbiojecnjgmhlfihgdmcihinliepao\1.0.1_0\icons\icon16.png, Quarantined, [14692], [443085],1.0.12555 PUP.Optional.IEnjoyApps.Generic, C:\Users\Metallica\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofhbiojecnjgmhlfihgdmcihinliepao\1.0.1_0\images\search.jpg, Quarantined, [14692], [443085],1.0.12555 PUP.Optional.IEnjoyApps.Generic, C:\Users\Metallica\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofhbiojecnjgmhlfihgdmcihinliepao\1.0.1_0\Plus\css\style.css, Quarantined, [14692], [443085],1.0.12555 PUP.Optional.IEnjoyApps.Generic, C:\Users\Metallica\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofhbiojecnjgmhlfihgdmcihinliepao\1.0.1_0\Plus\img\38.png, Quarantined, [14692], [443085],1.0.12555 PUP.Optional.IEnjoyApps.Generic, C:\Users\Metallica\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofhbiojecnjgmhlfihgdmcihinliepao\1.0.1_0\Plus\img\close.png, Quarantined, [14692], [443085],1.0.12555 PUP.Optional.IEnjoyApps.Generic, C:\Users\Metallica\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofhbiojecnjgmhlfihgdmcihinliepao\1.0.1_0\Plus\img\dislike.png, Quarantined, [14692], [443085],1.0.12555 PUP.Optional.IEnjoyApps.Generic, C:\Users\Metallica\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofhbiojecnjgmhlfihgdmcihinliepao\1.0.1_0\Plus\img\like.png, Quarantined, [14692], [443085],1.0.12555 PUP.Optional.IEnjoyApps.Generic, C:\Users\Metallica\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofhbiojecnjgmhlfihgdmcihinliepao\1.0.1_0\Plus\img\search.jpg, Quarantined, [14692], [443085],1.0.12555 PUP.Optional.IEnjoyApps.Generic, C:\Users\Metallica\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofhbiojecnjgmhlfihgdmcihinliepao\1.0.1_0\Plus\img\share.png, Quarantined, [14692], [443085],1.0.12555 PUP.Optional.IEnjoyApps.Generic, C:\Users\Metallica\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofhbiojecnjgmhlfihgdmcihinliepao\1.0.1_0\Plus\js\jquery.min.js, Quarantined, [14692], [443085],1.0.12555 PUP.Optional.IEnjoyApps.Generic, C:\Users\Metallica\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofhbiojecnjgmhlfihgdmcihinliepao\1.0.1_0\Plus\js\main.js, Quarantined, [14692], [443085],1.0.12555 PUP.Optional.IEnjoyApps.Generic, C:\Users\Metallica\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofhbiojecnjgmhlfihgdmcihinliepao\1.0.1_0\Plus\index.html, Quarantined, [14692], [443085],1.0.12555 PUP.Optional.IEnjoyApps.Generic, C:\Users\Metallica\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofhbiojecnjgmhlfihgdmcihinliepao\1.0.1_0\_metadata\computed_hashes.json, Quarantined, [14692], [443085],1.0.12555 PUP.Optional.IEnjoyApps.Generic, C:\Users\Metallica\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofhbiojecnjgmhlfihgdmcihinliepao\1.0.1_0\_metadata\verified_contents.json, Quarantined, [14692], [443085],1.0.12555 PUP.Optional.IEnjoyApps.Generic, C:\Users\Metallica\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofhbiojecnjgmhlfihgdmcihinliepao\1.0.1_0\background.js, Quarantined, [14692], [443085],1.0.12555 PUP.Optional.SearchAlgo, C:\USERS\METALLICA\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [376], [454816],1.0.12555 PUP.Optional.SearchAlgo, C:\USERS\METALLICA\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [376], [454816],1.0.12555 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  24. What is Spartan Sentinel?The Malwarebytes research team has determined that Spartan Sentinel is a "privacy optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.This particular one has beenHow do I know if I am infected with Spartan Sentinel?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see these warnings during install:and this screen during "operations":You may see this entry in your list of installed programs:and these tasks in your list of Scheduled Tasks:How did Spartan Sentinel get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove Spartan Sentinel?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Spartan Sentinel? No, Malwarebytes removes Spartan Sentinel completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the Spartan Sentinel installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: (Urbs disseny i comunicacio S.L. -> Urbs disseny i comunicacio S.L) C:\Program Files (x86)\Spartan Sentinel\SpartanSentinel.exe HKCU\...\Run: [SpartanSentinel] => C:\Program Files (x86)\Spartan Sentinel\SpartanSentinel.exe [5402896 2019-05-17] (Urbs disseny i comunicacio S.L. -> Urbs disseny i comunicacio S.L) Task: {60D06933-F395-44C6-A32F-9920FDB41542} - System32\Tasks\SpartanSentinel_Popup => C:\Program Files (x86)\Spartan Sentinel\SpartanSentinel.exe [5402896 2019-05-17] (Urbs disseny i comunicacio S.L. -> Urbs disseny i comunicacio S.L) <==== ATTENTION Task: {85C83886-911C-47F1-8683-71DAAEB8B1CD} - System32\Tasks\SpartanSentinel_PPO => C:\Program Files (x86)\Spartan Sentinel\SpartanSentinel.exe [5402896 2019-05-17] (Urbs disseny i comunicacio S.L. -> Urbs disseny i comunicacio S.L) <==== ATTENTION Task: {F6FA1436-0647-4A28-8543-992DE2DF7636} - System32\Tasks\SpartanSentinel-User_Account_Control => C:\Program Files (x86)\Spartan Sentinel\TaskTools.exe [54032 2019-05-17] (Urbs disseny i comunicacio S.L. -> Urbs disseny i comunicacio S.L) <==== ATTENTION Task: {FD072039-99A6-41FC-B67F-1BA223C54434} - System32\Tasks\SpartanSentinel_Master => C:\Program Files (x86)\Spartan Sentinel\InstAct.exe [40208 2019-05-17] (Urbs disseny i comunicacio S.L. -> Urbs disseny i comunicacio S.L) <==== ATTENTION C:\Windows\System32\Tasks\SpartanSentinel_PPO C:\Windows\System32\Tasks\SpartanSentinel_Popup C:\Windows\System32\Tasks\SpartanSentinel-User_Account_Control C:\Windows\System32\Tasks\SpartanSentinel_Master C:\Users\Public\Desktop\Spartan Sentinel.lnk C:\Users\{username}\AppData\Local\SpartanSentinel C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spartan Sentinel C:\Program Files (x86)\Spartan Sentinel C:\Users\{username}\AppData\Roaming\Install Spartan Sentinel Spartan Sentinel (HKLM-x32\...\{4D9AB16A-7A90-4213-9AFF-C0E6D360D4CF}) (Version: 3.9.2 - Urbs disseny i comunicacio S.L) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\Spartan Sentinel Adds the file CaByp.CA.dll"="5/17/2019 9:47 AM, 1557840 bytes, A Adds the file CaByp.dll"="5/17/2019 9:47 AM, 215312 bytes, A Adds the file Esent.Interop.dll"="5/10/2019 11:16 AM, 341776 bytes, A Adds the file InstAct.exe"="5/17/2019 9:47 AM, 40208 bytes, A Adds the file InstAct.exe.config"="5/10/2019 11:16 AM, 232 bytes, A Adds the file Manger.dll"="5/17/2019 9:47 AM, 21264 bytes, A Adds the file Microsoft.Deployment.WindowsInstaller.dll"="11/18/2017 1:59 PM, 191248 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="5/10/2019 11:16 AM, 326416 bytes, A Adds the file Newtonsoft.Json.dll"="5/10/2019 11:16 AM, 509200 bytes, A Adds the file Perpetuum.dll"="5/17/2019 9:47 AM, 187664 bytes, A Adds the file Push.exe"="5/17/2019 9:47 AM, 37136 bytes, A Adds the file Push.exe.config"="5/10/2019 11:16 AM, 224 bytes, A Adds the file README.txt"="9/18/2019 9:17 AM, 242 bytes, A Adds the file schedc.exe"="5/17/2019 9:47 AM, 30992 bytes, A Adds the file schedc.exe.config"="5/10/2019 11:16 AM, 232 bytes, A Adds the file schedc10.exe"="5/17/2019 9:47 AM, 33552 bytes, A Adds the file schedc10.exe.config"="5/10/2019 11:16 AM, 232 bytes, A Adds the file Setup.dll"="5/17/2019 9:47 AM, 100624 bytes, A Adds the file SpartanSentinel.exe"="5/17/2019 9:47 AM, 5402896 bytes, A Adds the file SpartanSentinel.exe.config"="5/10/2019 11:16 AM, 306 bytes, A Adds the file System.Data.SQLite.dll"="5/10/2019 11:16 AM, 1435408 bytes, A Adds the file TaskTools.exe"="5/17/2019 9:47 AM, 54032 bytes, A Adds the file TaskTools.exe.config"="5/10/2019 11:16 AM, 231 bytes, A Adds the file updater.exe"="5/10/2019 11:16 AM, 644880 bytes, A Adds the file updater.ini"="9/18/2019 9:17 AM, 400 bytes, A Adds the file Util.dll"="5/17/2019 9:47 AM, 307984 bytes, A Adds the folder C:\Program Files (x86)\Spartan Sentinel\ar Adds the file CaByp.resources.dll"="5/17/2019 9:47 AM, 19216 bytes, A Adds the file SpartanSentinel.resources.dll"="5/17/2019 9:47 AM, 80656 bytes, A Adds the folder C:\Program Files (x86)\Spartan Sentinel\x64 Adds the file DecryptTool.exe"="5/17/2019 9:46 AM, 30480 bytes, A Adds the file DecryptTool.exe.config"="5/10/2019 11:16 AM, 229 bytes, A Adds the folder C:\Program Files (x86)\Spartan Sentinel\x86 Adds the file DecryptTool.exe"="5/17/2019 9:47 AM, 31504 bytes, A Adds the file DecryptTool.exe.config"="5/10/2019 11:16 AM, 229 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spartan Sentinel Adds the file Spartan Sentinel.lnk"="9/18/2019 9:17 AM, 1046 bytes, A Adds the file Uninstall Spartan Sentinel.lnk"="9/18/2019 9:17 AM, 1820 bytes, A Adds the folder C:\Users\{username}\AppData\Local\SpartanSentinel Adds the file chcookies.txt"="9/18/2019 9:17 AM, 18716 bytes, A Adds the file cnfg"="9/18/2019 9:17 AM, 304 bytes, A Adds the file debug.log"="9/18/2019 9:18 AM, 3014 bytes, A Adds the file ffcookies.txt"="9/18/2019 9:17 AM, 26204 bytes, A Adds the file iecookies.txt"="9/18/2019 9:17 AM, 9372 bytes, A Adds the file log.rtf"="9/18/2019 9:18 AM, 1282 bytes, A Adds the file lsttick"="9/18/2019 9:17 AM, 8 bytes, A Adds the file lupa"="9/18/2019 9:18 AM, 0 bytes, A Adds the file report.txt"="9/18/2019 9:18 AM, 92 bytes, A Adds the file SpartanSentinel.settings"="9/18/2019 9:18 AM, 2224 bytes, A Adds the file TrialDb.db"="5/10/2019 11:16 AM, 757760 bytes, A Adds the file wndstate.tmp"="9/18/2019 9:17 AM, 5 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Install Spartan Sentinel\Urbs disseny i comunicacio S.L\Spartan Sentinel 3.9.2 Adds the file installlog.txt"="9/18/2019 9:17 AM, 572536 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file Spartan Sentinel.lnk"="9/18/2019 9:17 AM, 1028 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file SpartanSentinel_Master"="9/18/2019 9:17 AM, 3120 bytes, A Adds the file SpartanSentinel_Popup"="9/18/2019 9:17 AM, 3598 bytes, A Adds the file SpartanSentinel_PPO"="9/18/2019 9:17 AM, 3606 bytes, A Adds the file SpartanSentinel-User_Account_Control"="9/18/2019 9:17 AM, 3452 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4D9AB16A-7A90-4213-9AFF-C0E6D360D4CF}] "AuthorizedCDFPrefix"="REG_SZ", "" "Comments"="REG_SZ", "This installer database contains the logic and data required to install Spartan Sentinel." "Contact"="REG_SZ", "" "DisplayName"="REG_SZ", "Spartan Sentinel" "DisplayVersion"="REG_SZ", "3.9.2" "EstimatedSize"="REG_DWORD", 13252 "HelpLink"="REG_SZ", "" "HelpTelephone"="REG_SZ", "" "InstallDate"="REG_SZ", "20190918" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\Spartan Sentinel\" "InstallSource"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Install Spartan Sentinel\Urbs disseny i comunicacio S.L\Spartan Sentinel 3.9.2\install\360D4CF\" "Language"="REG_DWORD", 1033 "ModifyPath"="REG_EXPAND_SZ, "MsiExec.exe /X{4D9AB16A-7A90-4213-9AFF-C0E6D360D4CF}" "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Urbs disseny i comunicacio S.L" "Readme"="REG_SZ", "" "Size"="REG_SZ", "" "UninstallString"="REG_EXPAND_SZ, "MsiExec.exe /X{4D9AB16A-7A90-4213-9AFF-C0E6D360D4CF}" "URLInfoAbout"="REG_SZ", "" "URLUpdateInfo"="REG_SZ", "" "Version"="REG_DWORD", 50921474 "VersionMajor"="REG_DWORD", 3 "VersionMinor"="REG_DWORD", 9 "WindowsInstaller"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Urbs disseny i comunicacio S.L\Spartan Sentinel] "Path"="REG_SZ", "C:\Program Files (x86)\Spartan Sentinel\" "Version"="REG_SZ", "3.9.2" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ASP.NET_4.0.30319\Names] "AFtyCActL5AKV4bLSR3BoHIcGz34b5rb39uof3BaSzik06jYzTBTbMafcqXgVNVFlh3wmEyfE3JglFAkTOdugrznmofiU6cp5ai1HwxAkNjiUjbsZuCf5p"="REG_DWORD", 592 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "SpartanSentinel"="REG_SZ", ""C:\Program Files (x86)\Spartan Sentinel\SpartanSentinel.exe" minimized" [HKEY_CURRENT_USER\Software\SpartanSentinelValidity] "Base"="REG_SZ", "Oracle CorporationBase Board0" "Bios"="REG_SZ", "innotek GmbHVirtualBox020061201000000.000000+000VBOX - 1" "BuyLink"="REG_SZ", "https://www.spartansentinel.net/checkout.php" "Cpu"="REG_SZ", "Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz2808" "default"="REG_SZ", "EAAAAHB7efSnqhaTiIhEa68mRXIAVzQ15mcmFC0qI0/3MB95f5t2JGi0Hez+l2TA/2gRUw==" "defaultL"="REG_SZ", "EAAAAH8g0WLhJPsDvN+jpAL64lknF/yXKHz9N6kQEu1XyokM7hN5diGgBtU2lcykT4TgNw==" "defaultR"="REG_SZ", "EAAAAHB7efSnqhaTiIhEa68mRXIAVzQ15mcmFC0qI0/3MB95f5t2JGi0Hez+l2TA/2gRUw==" "defaultT"="REG_SZ", "EAAAAGBTbYDBAoBskGn8T32zGzHzMgUXT5wObNqAxqO8+7hR" "Disk"="REG_SZ", "VBOX HARDDISK ATA Device(Standard disk drives)" "lang"="REG_SZ", "en" "Mac"="REG_SZ", "EAAAAJ5IbPwrcIHqwczdcN63gi6qSAsPel9nqmdNiFW4F" "NeedsRenewal"="REG_SZ", "False" "PhoneNum"="REG_SZ", "SUPPORT" "Reg"="REG_SZ", "EAAAAFtxFCAEU2J4PcSaDcZMnYyoczmo/W3iUh1Vv5HaqOVn" "Rti"="REG_SZ", "449" "SplashTime"="REG_QWORD, .... "Support"="REG_SZ", "https://www.spartansentinel.net/support.php" [HKEY_CURRENT_USER\Software\Urbs disseny i comunicacio S.L\Spartan Sentinel] "AI_SETUPEXEPATH"="REG_SZ", "C:\Users\{username}\Desktop\SpartanSentinelSetup.exe" "Custom1"="REG_DWORD", 0 "Custom2"="REG_DWORD", 0 "Params"="REG_SZ", "arg1= arg2= arg3= arg4= arg5= arg6= arg7= arg8= arg9= setupexepath="C:\Users\{username}\Desktop\SpartanSentinelSetup.exe"" "ResName"="REG_SZ", "Regular" "UpgradeCode"="REG_SZ", "{D967FFB5-63BA-4EDB-A2AB-138FFDACCBB4}" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 9/18/19 Scan Time: 9:36 AM Log File: 03fa8ad4-d9e7-11e9-9ba3-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.12533 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235923 Threats Detected: 124 Threats Quarantined: 123 Time Elapsed: 14 min, 54 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\SpartanSentinel.exe, Quarantined, [1197], [734668],1.0.12533 Module: 2 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\SpartanSentinel.exe, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\System.Data.SQLite.dll, Quarantined, [1197], [734668],1.0.12533 Registry Key: 16 PUP.Optional.SpartanSentinel, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\SpartanSentinel_Master, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{FD072039-99A6-41FC-B67F-1BA223C54434}, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{FD072039-99A6-41FC-B67F-1BA223C54434}, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\SpartanSentinel_Popup, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{60D06933-F395-44C6-A32F-9920FDB41542}, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{60D06933-F395-44C6-A32F-9920FDB41542}, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\SpartanSentinel_PPO, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{85C83886-911C-47F1-8683-71DAAEB8B1CD}, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{85C83886-911C-47F1-8683-71DAAEB8B1CD}, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\SpartanSentinel-User_Account_Control, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{F6FA1436-0647-4A28-8543-992DE2DF7636}, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{F6FA1436-0647-4A28-8543-992DE2DF7636}, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, HKCU\SOFTWARE\SpartanSentinelValidity, Quarantined, [1197], [734681],1.0.12533 PUP.Optional.SpartanSentinel, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{4D9AB16A-7A90-4213-9AFF-C0E6D360D4CF}, Quarantined, [1197], [734684],1.0.12533 PUP.Optional.SpartanSentinel, HKLM\SOFTWARE\WOW6432NODE\URBS DISSENY I COMUNICACIO S.L\Spartan Sentinel, Quarantined, [1197], [734678],1.0.12533 PUP.Optional.SpartanSentinel, HKCU\SOFTWARE\URBS DISSENY I COMUNICACIO S.L\Spartan Sentinel, Quarantined, [1197], [734682],1.0.12533 Registry Value: 6 PUP.Optional.SpartanSentinel, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|SpartanSentinel, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{4D9AB16A-7A90-4213-9AFF-C0E6D360D4CF}|DISPLAYNAME, Quarantined, [1197], [734684],1.0.12533 PUP.Optional.SpartanSentinel, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{60D06933-F395-44C6-A32F-9920FDB41542}|PATH, Quarantined, [1197], [734674],1.0.12533 PUP.Optional.SpartanSentinel, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{85C83886-911C-47F1-8683-71DAAEB8B1CD}|PATH, Quarantined, [1197], [734674],1.0.12533 PUP.Optional.SpartanSentinel, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{F6FA1436-0647-4A28-8543-992DE2DF7636}|PATH, Quarantined, [1197], [734674],1.0.12533 PUP.Optional.SpartanSentinel, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{FD072039-99A6-41FC-B67F-1BA223C54434}|PATH, Quarantined, [1197], [734674],1.0.12533 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 21 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\se-FI, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\x64, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\x86, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\ar, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\da, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\de, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\es, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\fr, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\it, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\ja, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\nl, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\no, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\pt, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\ru, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\sv, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\PROGRAM FILES (X86)\SPARTAN SENTINEL, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SPARTAN SENTINEL, Quarantined, [1197], [734670],1.0.12533 PUP.Optional.SpartanSentinel, C:\USERS\{username}\APPDATA\LOCAL\SPARTANSENTINEL, Removal Failed, [1197], [734671],1.0.12533 PUP.Optional.SpartanSentinel, C:\Users\{username}\AppData\Roaming\Install Spartan Sentinel\Urbs disseny i comunicacio S.L\Spartan Sentinel 3.9.2, Quarantined, [1197], [734672],1.0.12533 PUP.Optional.SpartanSentinel, C:\Users\{username}\AppData\Roaming\Install Spartan Sentinel\Urbs disseny i comunicacio S.L, Quarantined, [1197], [734672],1.0.12533 PUP.Optional.SpartanSentinel, C:\USERS\{username}\APPDATA\ROAMING\INSTALL SPARTAN SENTINEL, Quarantined, [1197], [734672],1.0.12533 File: 78 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\ar\CaByp.resources.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\ar\SpartanSentinel.resources.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\da\CaByp.resources.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\da\SpartanSentinel.resources.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\de\CaByp.resources.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\de\SpartanSentinel.resources.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\es\CaByp.resources.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\es\SpartanSentinel.resources.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\fr\CaByp.resources.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\fr\SpartanSentinel.resources.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\it\CaByp.resources.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\it\SpartanSentinel.resources.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\ja\CaByp.resources.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\ja\SpartanSentinel.resources.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\nl\CaByp.resources.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\nl\SpartanSentinel.resources.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\no\CaByp.resources.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\no\SpartanSentinel.resources.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\pt\CaByp.resources.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\pt\SpartanSentinel.resources.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\ru\CaByp.resources.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\ru\SpartanSentinel.resources.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\se-FI\CaByp.resources.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\se-FI\SpartanSentinel.resources.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\sv\CaByp.resources.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\sv\SpartanSentinel.resources.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\x64\DecryptTool.exe, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\x64\DecryptTool.exe.config, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\x86\DecryptTool.exe, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\x86\DecryptTool.exe.config, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\CaByp.CA.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\CaByp.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\Esent.Interop.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\InstAct.exe, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\InstAct.exe.config, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\Manger.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\Microsoft.Deployment.WindowsInstaller.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\Microsoft.Win32.TaskScheduler.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\Newtonsoft.Json.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\Perpetuum.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\Push.exe, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\Push.exe.config, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\README.txt, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\schedc.exe, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\schedc.exe.config, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\schedc10.exe, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\schedc10.exe.config, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\Setup.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\SpartanSentinel.exe, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\SpartanSentinel.exe.config, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\System.Data.SQLite.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\TaskTools.exe, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\TaskTools.exe.config, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\updater.exe, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\updater.ini, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\Program Files (x86)\Spartan Sentinel\Util.dll, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\WINDOWS\SYSTEM32\TASKS\SpartanSentinel_Master, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\WINDOWS\SYSTEM32\TASKS\SpartanSentinel_Popup, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\WINDOWS\SYSTEM32\TASKS\SpartanSentinel_PPO, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\Spartan Sentinel.lnk, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\USERS\PUBLIC\Desktop\Spartan Sentinel.lnk, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\WINDOWS\SYSTEM32\TASKS\SpartanSentinel-User_Account_Control, Quarantined, [1197], [734668],1.0.12533 PUP.Optional.SpartanSentinel, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spartan Sentinel\Spartan Sentinel.lnk, Quarantined, [1197], [734670],1.0.12533 PUP.Optional.SpartanSentinel, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spartan Sentinel\Uninstall Spartan Sentinel.lnk, Quarantined, [1197], [734670],1.0.12533 PUP.Optional.SpartanSentinel, C:\Users\{username}\AppData\Local\SpartanSentinel\chcookies.txt, Quarantined, [1197], [734671],1.0.12533 PUP.Optional.SpartanSentinel, C:\Users\{username}\AppData\Local\SpartanSentinel\cnfg, Quarantined, [1197], [734671],1.0.12533 PUP.Optional.SpartanSentinel, C:\Users\{username}\AppData\Local\SpartanSentinel\debug.log, Quarantined, [1197], [734671],1.0.12533 PUP.Optional.SpartanSentinel, C:\Users\{username}\AppData\Local\SpartanSentinel\ffcookies.txt, Quarantined, [1197], [734671],1.0.12533 PUP.Optional.SpartanSentinel, C:\Users\{username}\AppData\Local\SpartanSentinel\iecookies.txt, Quarantined, [1197], [734671],1.0.12533 PUP.Optional.SpartanSentinel, C:\Users\{username}\AppData\Local\SpartanSentinel\log.rtf, Quarantined, [1197], [734671],1.0.12533 PUP.Optional.SpartanSentinel, C:\Users\{username}\AppData\Local\SpartanSentinel\lsttick, Quarantined, [1197], [734671],1.0.12533 PUP.Optional.SpartanSentinel, C:\Users\{username}\AppData\Local\SpartanSentinel\lupa, Quarantined, [1197], [734671],1.0.12533 PUP.Optional.SpartanSentinel, C:\Users\{username}\AppData\Local\SpartanSentinel\report.txt, Quarantined, [1197], [734671],1.0.12533 PUP.Optional.SpartanSentinel, C:\Users\{username}\AppData\Local\SpartanSentinel\SpartanSentinel.settings, Quarantined, [1197], [734671],1.0.12533 PUP.Optional.SpartanSentinel, C:\Users\{username}\AppData\Local\SpartanSentinel\TrialDb.db, Quarantined, [1197], [734671],1.0.12533 PUP.Optional.SpartanSentinel, C:\Users\{username}\AppData\Local\SpartanSentinel\wndstate.tmp, Quarantined, [1197], [734671],1.0.12533 PUP.Optional.SpartanSentinel, C:\Users\{username}\AppData\Roaming\Install Spartan Sentinel\Urbs disseny i comunicacio S.L\Spartan Sentinel 3.9.2\installlog.txt, Quarantined, [1197], [734672],1.0.12533 PUP.Optional.SpartanSentinel, C:\USERS\{username}\DESKTOP\SPARTANSENTINELSETUP.EXE, Quarantined, [1197], [734665],1.0.12533 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  25. What is Win Magician?The Malwarebytes research team has determined that Win Magician is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.This particular one is also a bundler, so you may find other software installed.How do I know if I am infected with Win Magician?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see these warnings during install:and this screen during "operations":You may see this entry in your list of installed programs:and these tasks in your list of Scheduled Tasks:How did Win Magician get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove Win Magician?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Win Magician? No, Malwarebytes removes Win Magician completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the Win Magician installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: (PC MAGICIANS INC -> winmagician.com) C:\Program Files\Win Magician\wmgc.exe Task: {2E309F4C-2C37-4858-BBF4-B1D4E8128C8E} - System32\Tasks\Win Magician => C:\Program Files\Win Magician\wmgcmntr.exe [199424 2019-06-17] (PC MAGICIANS INC -> winmagician.com) Task: {B728ADE0-F778-4283-8C99-786B21595E57} - System32\Tasks\Win Magician_Logon => C:\Program Files\Win Magician\wmgcmntr.exe [199424 2019-06-17] (PC MAGICIANS INC -> winmagician.com) C:\Windows\System32\Tasks\Win Magician C:\Windows\System32\Tasks\Win Magician_Logon C:\Users\Public\Desktop\Win Magician.lnk C:\Users\{username}\AppData\Roaming\winmagician.com C:\ProgramData\winmagician.com C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Win Magician C:\Program Files\Win Magician Win Magician (HKLM\...\{A523969E-77B0-4DA0-840A-56262EBCA291}_is1) (Version: 1.0.0.21 - winmagician.com) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\Win Magician Adds the file HtmlRenderer.dll"="6/5/2019 7:13 PM, 236800 bytes, A Adds the file HtmlRenderer.WPF.dll"="6/5/2019 7:13 PM, 63232 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="6/5/2019 7:13 PM, 64256 bytes, A Adds the file langs.db"="6/14/2019 7:44 PM, 2150400 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="6/5/2019 7:13 PM, 186112 bytes, A Adds the file Microsoft.WindowsAPICodePack.dll"="6/5/2019 7:13 PM, 113408 bytes, A Adds the file Microsoft.WindowsAPICodePack.Shell.dll"="6/5/2019 7:13 PM, 557312 bytes, A Adds the file msvcp100.dll"="5/29/2019 1:29 PM, 421200 bytes, A Adds the file msvcr100.dll"="5/29/2019 1:29 PM, 773968 bytes, A Adds the file Newtonsoft.Json.dll"="6/5/2019 7:13 PM, 475904 bytes, A Adds the file PresentationCore.dll"="6/5/2019 7:13 PM, 1428224 bytes, A Adds the file System.Data.SQLite.DLL"="6/5/2019 7:13 PM, 346880 bytes, A Adds the file System.Threading.dll"="5/29/2019 1:29 PM, 387408 bytes, A Adds the file TAFactory.IconPack.dll"="6/5/2019 7:13 PM, 59472 bytes, A Adds the file unins000.dat"="9/17/2019 9:29 AM, 67755 bytes, A Adds the file unins000.exe"="9/17/2019 9:29 AM, 1218304 bytes, A Adds the file unins000.msg"="9/17/2019 9:29 AM, 22697 bytes, A Adds the file wmgc.exe"="6/17/2019 6:43 PM, 3549440 bytes, A Adds the file wmgc.exe.config"="6/17/2019 2:35 PM, 2071 bytes, A Adds the file wmgcmntr.exe"="6/17/2019 6:43 PM, 199424 bytes, A Adds the file wmgcmntr.exe.config"="5/29/2019 1:29 PM, 814 bytes, A Adds the file WPFToolkit.dll"="5/29/2019 1:29 PM, 467288 bytes, A Adds the folder C:\Program Files\Win Magician\websec Adds the file ICSharpCode.SharpZipLib.dll"="6/5/2019 7:13 PM, 207616 bytes, A Adds the file langs.db"="10/26/2017 5:42 PM, 65536 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="6/5/2019 7:13 PM, 186112 bytes, A Adds the file Newtonsoft.Json.dll"="6/5/2019 7:13 PM, 475904 bytes, A Adds the file System.Data.SQLite.DLL"="6/5/2019 7:13 PM, 346880 bytes, A Adds the file System.Data.SQLite.Linq.dll"="6/5/2019 7:13 PM, 211712 bytes, A Adds the file System.Threading.dll"="5/29/2019 1:29 PM, 387408 bytes, A Adds the file TAFactory.IconPack.dll"="6/5/2019 7:13 PM, 59472 bytes, A Adds the file WebExtNotifier.exe"="6/5/2019 7:13 PM, 1007360 bytes, A Adds the file WebExtNotifier.exe.config"="9/12/2017 4:45 PM, 1321 bytes, A Adds the folder C:\Program Files\Win Magician\websec\x64 Adds the file SQLite.Interop.dll"="6/5/2019 7:13 PM, 1495296 bytes, A Adds the folder C:\Program Files\Win Magician\websec\x86 Adds the file SQLite.Interop.dll"="6/5/2019 7:13 PM, 1062144 bytes, A Adds the folder C:\Program Files\Win Magician\x64 Adds the file SQLite.Interop.dll"="6/5/2019 7:13 PM, 1495296 bytes, A Adds the folder C:\Program Files\Win Magician\x86 Adds the file SQLite.Interop.dll"="6/5/2019 7:13 PM, 1062144 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Win Magician Adds the file Buy Win Magician.lnk"="9/17/2019 9:29 AM, 844 bytes, A Adds the file Uninstall Win Magician.lnk"="9/17/2019 9:29 AM, 858 bytes, A Adds the file Win Magician.lnk"="9/17/2019 9:29 AM, 834 bytes, A Adds the folder C:\ProgramData\winmagician.com\Win Magician Adds the file mdb.db"="12/18/2018 7:14 PM, 38768640 bytes, A Adds the folder C:\ProgramData\winmagician.com\Win Magician\Definition Adds the file appestmapi.json"="9/17/2019 9:31 AM, 9614423 bytes, A Adds the file ChromeExtentions.bin"="9/17/2019 9:44 AM, 60792 bytes, A Adds the file ChromeFiles.bin"="9/17/2019 9:44 AM, 167872 bytes, A Adds the file ChromeSearch.bin"="9/17/2019 9:44 AM, 43888 bytes, A Adds the file CLSID.bin"="9/17/2019 9:32 AM, 213944 bytes, A Adds the file FileNames.bin"="9/17/2019 9:47 AM, 52408 bytes, A Adds the file FilesPath.bin"="9/17/2019 9:48 AM, 2413792 bytes, A Adds the file FirefoxExtentions.bin"="9/17/2019 9:44 AM, 66184 bytes, A Adds the file FirefoxFiles.bin"="9/17/2019 9:45 AM, 41224 bytes, A Adds the file FirefoxSearch.bin"="9/17/2019 9:45 AM, 40320 bytes, A Adds the file FolderNames.bin"="9/17/2019 9:44 AM, 101176 bytes, A Adds the file FoldersPath.bin"="9/17/2019 9:47 AM, 1080736 bytes, A Adds the file IEExtension.bin"="9/17/2019 9:45 AM, 720 bytes, A Adds the file IESearch.bin"="9/17/2019 9:45 AM, 7384 bytes, A Adds the file MalwareDetails.bin"="9/17/2019 9:31 AM, 1951464 bytes, A Adds the file Md5Hash.bin"="9/17/2019 9:35 AM, 11847424 bytes, A Adds the file Plugins.bin"="9/17/2019 9:45 AM, 2168 bytes, A Adds the file Registry.bin"="9/17/2019 9:33 AM, 14238528 bytes, A Adds the file RegistrySetting.bin"="9/17/2019 9:34 AM, 1546848 bytes, A Adds the file Services.bin"="9/17/2019 9:35 AM, 17936 bytes, A Adds the file SoftwaresEntry.bin"="9/17/2019 9:34 AM, 66336 bytes, A Adds the file StartupTask.bin"="9/17/2019 9:44 AM, 2880 bytes, A Adds the file URLS.bin"="9/17/2019 9:45 AM, 30608 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\winmagician.com\Win Magician Adds the file act.xml"="9/17/2019 9:30 AM, 346 bytes, A Adds the file bkp.xml"="9/17/2019 9:40 AM, 373 bytes, A Adds the file Errorlog.txt"="9/17/2019 9:53 AM, 9500 bytes, A Adds the file exlist.bin"="9/17/2019 9:30 AM, 275697 bytes, A Adds the file Result.cb"="9/17/2019 9:53 AM, 21435 bytes, A Adds the file update.xml"="9/17/2019 9:30 AM, 2952 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\winmagician.com\Win Magician\Backups Adds the file wtcbackup_17092019_093212.zip"="9/17/2019 9:39 AM, 42515869 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\winmagician.com\Win Magician\icon Adds the file 095320.ico"="9/17/2019 9:53 AM, 40340 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\winmagician.com\Win Magician\junklog Adds the file Bookmark_Backup.xml"="9/17/2019 9:31 AM, 944 bytes, A Adds the file Cache.xml"="9/17/2019 9:32 AM, 49548 bytes, A Adds the file Cookies.xml"="9/17/2019 9:31 AM, 4748 bytes, A Adds the file Dump_Files.xml"="9/17/2019 9:31 AM, 154 bytes, A Adds the file History.xml"="9/17/2019 9:31 AM, 1483 bytes, A Adds the file LogFilesActivityTrace.xml"="9/17/2019 9:32 AM, 513 bytes, A Adds the file Session.xml"="9/17/2019 9:32 AM, 1940 bytes, A Adds the file Temp_Internet_Files_Folder.xml"="9/17/2019 9:31 AM, 11708 bytes, A Adds the file TempFiles.xml"="9/17/2019 9:32 AM, 81510 bytes, A Adds the file ThumbnailCache.xml"="9/17/2019 9:32 AM, 730 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\winmagician.com\Win Magician\smico In the existing folder C:\Users\Public\Desktop Adds the file Win Magician.lnk"="9/17/2019 9:53 AM, 1857 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Win Magician"="9/17/2019 9:30 AM, 3348 bytes, A Adds the file Win Magician_Logon"="9/17/2019 9:30 AM, 3038 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\d2lubWFnaWNpYW4uY29t\V2luIE1hZ2ljaWFu\ACT] "data"="REG_BINARY, .................................................................................................. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A523969E-77B0-4DA0-840A-56262EBCA291}_is1] "DisplayIcon"="REG_SZ", "C:\Program Files\Win Magician\wmgc.exe" "DisplayName"="REG_SZ", "Win Magician" "DisplayVersion"="REG_SZ", "1.0.0.21" "EstimatedSize"="REG_DWORD", 49711 "HelpLink"="REG_SZ", "http://www.winmagician.com/support/" "Inno Setup: App Path"="REG_SZ", "C:\Program Files\Win Magician" "Inno Setup: Icon Group"="REG_SZ", "Win Magician" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.5 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20190917" "InstallLocation"="REG_SZ", "C:\Program Files\Win Magician\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "winmagician.com" "QuietUninstallString"="REG_SZ", ""C:\Program Files\Win Magician\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files\Win Magician\unins000.exe"" "URLInfoAbout"="REG_SZ", "http://www.winmagician.com/" [HKEY_LOCAL_MACHINE\SOFTWARE\winmagician.com\Win Magician] "affired"="REG_DWORD", 0 "afterInstallUrl"="REG_SZ", "http://ins.winmagician.com/install/wmg/?" "apst"="REG_DWORD", 0 "bdInst"="REG_DWORD", 0 "btnid"="REG_SZ", "" "country"="REG_SZ", "" "cta"="REG_DWORD", 0 "delay"="REG_DWORD", 0 "expired"="REG_DWORD", 0 "hdata"="REG_BINARY, .................................................................................... "hdinstpg"="REG_DWORD", 0 "hdunistpg"="REG_DWORD", 0 "InstallString"="REG_SZ", "C:\Program Files\Win Magician" "ipaddrurl"="REG_SZ", "http://ins.winmagician.com/getip/" "isfullscan"="REG_DWORD", 0 "isinstfont"="REG_DWORD", 1 "isreg"="REG_DWORD", 0 "issilent"="REG_DWORD", 0 "ISTELNO"="REG_DWORD", 1 "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "lstscnsett"="REG_BINARY, ...............................................................'........................ "ovoffdis"="REG_DWORD", 0 "paramurl"="REG_SZ", "http://trkr.winmagician.com/ipfiles/" "playsound"="REG_DWORD", 0 "ppid"="REG_DWORD", 113 "ppinag"="REG_DWORD", 0 "prereg"="REG_DWORD", 0 "PurchaseURL"="REG_SZ", "http://store.winmagician.com/wmg/plan/" "pxl"="REG_SZ", "WMG4680_WMG4579_WMG2332" "reg"="REG_DWORD", 0 "RenewURL"="REG_SZ", "http://store.winmagician.com/wmg/renewal/" "runcam"="REG_DWORD", 1 "runpixel"="REG_DWORD", 1 "runpub"="REG_DWORD", 1 "runsrc"="REG_DWORD", 1 "showballoontip"="REG_DWORD", 0 "showpriceplan"="REG_DWORD", 4 "showtn"="REG_DWORD", 0 "showunins"="REG_DWORD", 0 "shwtutrl"="REG_DWORD", 0 "stdismax"="REG_DWORD", -1 "supporturl"="REG_SZ", "http://www.winmagician.com/support/" "tcfl"="REG_DWORD", 1 "TELNO"="REG_SZ", "877-259-9621" "utm_campaign"="REG_SZ", "wmgdflt" "utm_medium"="REG_SZ", "wmgdflt" "utm_source"="REG_SZ", "wmgdflt" "WebURL"="REG_SZ", "http://www.winmagician.com/" "x-at"="REG_SZ", "" "x-ccode"="REG_SZ", "us" "x-context"="REG_SZ", "" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "{userIP}" "x-plt"="REG_SZ", "" "x-uid"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\wmgc-pr] "affiliateid"="REG_SZ", "" "btnid"="REG_SZ", "" "country"="REG_SZ", "" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "phone"="REG_SZ", "" "referurl"="REG_SZ", "" "utm_medium"="REG_SZ", "wmgdflt" "utm_pubid"="REG_SZ", "" "x-at"="REG_SZ", "" "x-context"="REG_SZ", "" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_CURRENT_USER\Software\winmagician.com\Win Magician] "InstallString"="REG_SZ", "C:\Program Files\Win Magician" "LangCode"="REG_SZ", "en" "pxl"="REG_SZ", "WMG4680_WMG4579_WMG2332" "TELNO"="REG_SZ", "877-259-9621" "utm_campaign"="REG_SZ", "wmgdflt" "utm_medium"="REG_SZ", "wmgdflt" "utm_source"="REG_SZ", "wmgdflt" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "{userIP}8" [HKEY_CURRENT_USER\Software\winmagician.com\Win Magician\1.0.0.21] Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 9/17/19 Scan Time: 10:16 AM Log File: 64851262-d923-11e9-b81f-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.12517 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235914 Threats Detected: 142 Threats Quarantined: 142 Time Elapsed: 17 min, 7 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.PCVARK, C:\Program Files\Win Magician\wmgc.exe, Quarantined, [476], [722480],1.0.12517 Module: 10 PUP.Optional.PCVARK, C:\Program Files\Win Magician\x64\SQLite.Interop.dll, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\System.Data.SQLite.DLL, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\HtmlRenderer.dll, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\HtmlRenderer.WPF.dll, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\Interop.IWshRuntimeLibrary.dll, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\Microsoft.Win32.TaskScheduler.dll, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\Newtonsoft.Json.dll, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\System.Threading.dll, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\wmgc.exe, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\WPFToolkit.dll, Quarantined, [476], [722480],1.0.12517 Registry Key: 11 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{A523969E-77B0-4DA0-840A-56262EBCA291}_is1, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Win Magician, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{2E309F4C-2C37-4858-BBF4-B1D4E8128C8E}, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{2E309F4C-2C37-4858-BBF4-B1D4E8128C8E}, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Win Magician_Logon, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{B728ADE0-F778-4283-8C99-786B21595E57}, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{B728ADE0-F778-4283-8C99-786B21595E57}, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, HKCU\SOFTWARE\winmagician.com, Quarantined, [476], [722482],1.0.12517 PUP.Optional.PCVARK, HKLM\SOFTWARE\WMGC-PR, Quarantined, [476], [722493],1.0.12517 PUP.Optional.PCVARK, HKLM\SOFTWARE\d2lubWFnaWNpYW4uY29t, Quarantined, [476], [722491],1.0.12517 PUP.Optional.PCVARK, HKLM\SOFTWARE\winmagician.com, Quarantined, [476], [722483],1.0.12517 Registry Value: 3 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{2E309F4C-2C37-4858-BBF4-B1D4E8128C8E}|PATH, Quarantined, [476], [722487],1.0.12517 PUP.Optional.PCVARK, HKLM\SOFTWARE\WMGC-PR|AFFILIATEID, Quarantined, [476], [722493],1.0.12517 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{B728ADE0-F778-4283-8C99-786B21595E57}|PATH, Quarantined, [476], [722487],1.0.12517 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 23 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\WIN MAGICIAN, Quarantined, [476], [722476],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\websec\x64, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\websec\x86, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\websec, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\x64, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\x86, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\PROGRAM FILES\WIN MAGICIAN, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\winmagician.com\Win Magician\Definition, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\winmagician.com\Win Magician, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\PROGRAMDATA\WINMAGICIAN.COM, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\winmagician.com\Win Magician\Backups, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\winmagician.com\Win Magician\junklog, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\winmagician.com\Win Magician\smico, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\winmagician.com\Win Magician\icon, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\winmagician.com\Win Magician, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\WINMAGICIAN.COM, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\ad-blocker.org\Ad-BlockerPro\FF, Quarantined, [476], [726336],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\ad-blocker.org\Ad-BlockerPro\GC, Quarantined, [476], [726336],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\ad-blocker.org\Ad-BlockerPro\IE, Quarantined, [476], [726336],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\ad-blocker.org\Ad-BlockerPro, Quarantined, [476], [726336],1.0.12517 PUP.Optional.PCVARK, C:\PROGRAMDATA\AD-BLOCKER.ORG, Quarantined, [476], [726336],1.0.12517 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\ad-blocker.org\Ad-BlockerPro, Quarantined, [476], [726336],1.0.12517 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\AD-BLOCKER.ORG, Quarantined, [476], [726336],1.0.12517 File: 94 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\WIN MAGICIAN\Buy Win Magician.lnk, Quarantined, [476], [722476],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Win Magician\Uninstall Win Magician.lnk, Quarantined, [476], [722476],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Win Magician\Win Magician.lnk, Quarantined, [476], [722476],1.0.12517 PUP.Optional.PCVARK, C:\USERS\PUBLIC\DESKTOP\WIN MAGICIAN.LNK, Quarantined, [476], [722475],1.0.12517 PUP.Optional.PCVARK, C:\PROGRAM FILES\WIN MAGICIAN\UNINS000.DAT, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\websec\x64\SQLite.Interop.dll, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\websec\x86\SQLite.Interop.dll, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\websec\ICSharpCode.SharpZipLib.dll, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\websec\langs.db, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\websec\Microsoft.Win32.TaskScheduler.dll, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\websec\Newtonsoft.Json.dll, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\websec\System.Data.SQLite.DLL, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\websec\System.Data.SQLite.Linq.dll, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\websec\System.Threading.dll, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\websec\TAFactory.IconPack.dll, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\websec\WebExtNotifier.exe, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\websec\WebExtNotifier.exe.config, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\x64\SQLite.Interop.dll, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\x86\SQLite.Interop.dll, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\System.Data.SQLite.DLL, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\HtmlRenderer.dll, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\HtmlRenderer.WPF.dll, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\Interop.IWshRuntimeLibrary.dll, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\langs.db, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\Microsoft.Win32.TaskScheduler.dll, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\Microsoft.WindowsAPICodePack.dll, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\Microsoft.WindowsAPICodePack.Shell.dll, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\msvcp100.dll, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\msvcr100.dll, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\Newtonsoft.Json.dll, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\PresentationCore.dll, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\System.Threading.dll, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\TAFactory.IconPack.dll, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\unins000.exe, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\unins000.msg, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\wmgc.exe, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\wmgc.exe.config, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\wmgcmntr.exe, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\wmgcmntr.exe.config, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\Program Files\Win Magician\WPFToolkit.dll, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\Win Magician.lnk, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\WINDOWS\SYSTEM32\TASKS\Win Magician, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\WINDOWS\SYSTEM32\TASKS\Win Magician_Logon, Quarantined, [476], [722480],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\winmagician.com\Win Magician\Definition\appestmapi.json, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\winmagician.com\Win Magician\Definition\ChromeExtentions.bin, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\winmagician.com\Win Magician\Definition\ChromeFiles.bin, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\winmagician.com\Win Magician\Definition\ChromeSearch.bin, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\winmagician.com\Win Magician\Definition\CLSID.bin, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\winmagician.com\Win Magician\Definition\FileNames.bin, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\winmagician.com\Win Magician\Definition\FilesPath.bin, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\winmagician.com\Win Magician\Definition\FirefoxExtentions.bin, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\winmagician.com\Win Magician\Definition\FirefoxFiles.bin, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\winmagician.com\Win Magician\Definition\FirefoxSearch.bin, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\winmagician.com\Win Magician\Definition\FolderNames.bin, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\winmagician.com\Win Magician\Definition\FoldersPath.bin, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\winmagician.com\Win Magician\Definition\IEExtension.bin, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\winmagician.com\Win Magician\Definition\IESearch.bin, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\winmagician.com\Win Magician\Definition\MalwareDetails.bin, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\winmagician.com\Win Magician\Definition\Md5Hash.bin, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\winmagician.com\Win Magician\Definition\Plugins.bin, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\winmagician.com\Win Magician\Definition\Registry.bin, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\winmagician.com\Win Magician\Definition\RegistrySetting.bin, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\winmagician.com\Win Magician\Definition\Services.bin, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\winmagician.com\Win Magician\Definition\SoftwaresEntry.bin, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\winmagician.com\Win Magician\Definition\StartupTask.bin, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\winmagician.com\Win Magician\Definition\URLS.bin, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\winmagician.com\Win Magician\mdb.db, Delete-on-Reboot, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\winmagician.com\Win Magician\Backups\wtcbackup_17092019_093212.zip, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\winmagician.com\Win Magician\icon\095320.ico, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\winmagician.com\Win Magician\junklog\Bookmark_Backup.xml, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\winmagician.com\Win Magician\junklog\Cache.xml, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\winmagician.com\Win Magician\junklog\Cookies.xml, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\winmagician.com\Win Magician\junklog\Dump_Files.xml, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\winmagician.com\Win Magician\junklog\History.xml, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\winmagician.com\Win Magician\junklog\LogFilesActivityTrace.xml, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\winmagician.com\Win Magician\junklog\Session.xml, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\winmagician.com\Win Magician\junklog\TempFiles.xml, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\winmagician.com\Win Magician\junklog\Temp_Internet_Files_Folder.xml, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\winmagician.com\Win Magician\junklog\ThumbnailCache.xml, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\winmagician.com\Win Magician\act.xml, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\winmagician.com\Win Magician\bkp.xml, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\winmagician.com\Win Magician\Errorlog.txt, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\winmagician.com\Win Magician\exlist.bin, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\winmagician.com\Win Magician\Result.cb, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\winmagician.com\Win Magician\update.xml, Quarantined, [476], [722473],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\ad-blocker.org\Ad-BlockerPro\FF\com.adblockerpro.native.json, Quarantined, [476], [726336],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\ad-blocker.org\Ad-BlockerPro\FF\install_host.bat, Quarantined, [476], [726336],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\ad-blocker.org\Ad-BlockerPro\GC\com.adblockerpro.native.json, Quarantined, [476], [726336],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\ad-blocker.org\Ad-BlockerPro\GC\install_host.bat, Quarantined, [476], [726336],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\ad-blocker.org\Ad-BlockerPro\IE\com.adblockerpro.native.json, Quarantined, [476], [726336],1.0.12517 PUP.Optional.PCVARK, C:\ProgramData\ad-blocker.org\Ad-BlockerPro\IE\install_host.bat, Quarantined, [476], [726336],1.0.12517 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\ad-blocker.org\Ad-BlockerPro\2019_09_17_ErrorLog.txt, Quarantined, [476], [726336],1.0.12517 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\ad-blocker.org\Ad-BlockerPro\langs.db, Quarantined, [476], [726336],1.0.12517 PUP.Optional.PCVARK, C:\USERS\{username}\DESKTOP\WINMAGICIAN.EXE, Quarantined, [476], [722472],1.0.12517 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.