Jump to content

Metallica

Staff
  • Content Count

    2,535
  • Joined

  • Last visited

Everything posted by Metallica

  1. What is 101Sweets Search?The Malwarebytes research team has determined that 101Sweets Search is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by 101Sweets Search?You may see this entry in your list of installed Chrome extensions:this icon in the Chrome menu-bar:this changed setting:and these warnings during install:How did 101Sweets Search get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove 101Sweets Search?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of 101Sweets Search? No, Malwarebytes removes 101Sweets Search completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the 101Sweets Search hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://services.101sweets-svc.com/search/{searchTerms} CHR DefaultSearchKeyword: Default -> {searchTerms} CHR DefaultSuggestURL: Default -> hxxps://sug.101sweets-svc.com/sug/?s={searchTerms} CHR Extension: (101Sweets) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhbnogofnebnbocodmijnbmobmeakcdh [2020-02-21] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhbnogofnebnbocodmijnbmobmeakcdh\1.1.19.916_0 Adds the file manifest.json"="2/21/2020 8:48 AM, 2122 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhbnogofnebnbocodmijnbmobmeakcdh\1.1.19.916_0\_metadata Adds the file computed_hashes.json"="2/21/2020 8:48 AM, 2709 bytes, A Adds the file verified_contents.json"="9/17/2019 3:26 PM, 4028 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhbnogofnebnbocodmijnbmobmeakcdh\1.1.19.916_0\background Adds the file contextMenus.js"="9/17/2019 3:26 PM, 634 bytes, A Adds the file ext.js"="9/17/2019 3:26 PM, 4653 bytes, A Adds the file index.html"="9/17/2019 3:26 PM, 534 bytes, A Adds the file listeners.js"="9/17/2019 3:26 PM, 1130 bytes, A Adds the file omni.js"="9/17/2019 3:26 PM, 788 bytes, A Adds the file search.js"="9/17/2019 3:26 PM, 847 bytes, A Adds the file settings.js"="9/17/2019 3:26 PM, 305 bytes, A Adds the file startup.js"="9/17/2019 3:26 PM, 2707 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhbnogofnebnbocodmijnbmobmeakcdh\1.1.19.916_0\icons Adds the file 128.png"="2/21/2020 8:48 AM, 14237 bytes, A Adds the file 16.png"="2/21/2020 8:48 AM, 653 bytes, A Adds the file 32.png"="2/21/2020 8:48 AM, 1728 bytes, A Adds the file 48.png"="2/21/2020 8:48 AM, 3759 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhbnogofnebnbocodmijnbmobmeakcdh\1.1.19.916_0\options Adds the file options.css"="9/17/2019 3:26 PM, 170 bytes, A Adds the file options.html"="9/17/2019 3:26 PM, 486 bytes, A Adds the file options.js"="9/17/2019 3:26 PM, 134 bytes, A Adds the file tabContent.js"="9/17/2019 3:26 PM, 1770 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhbnogofnebnbocodmijnbmobmeakcdh\1.1.19.916_0\popup Adds the file popup.css"="9/17/2019 3:26 PM, 309 bytes, A Adds the file popup.html"="9/17/2019 3:26 PM, 644 bytes, A Adds the file popup.js"="9/17/2019 3:26 PM, 297 bytes, A Adds the file tabContent.js"="9/17/2019 3:26 PM, 1427 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhbnogofnebnbocodmijnbmobmeakcdh\1.1.19.916_0\prompt Adds the file green-up-arrow.png"="9/17/2019 3:26 PM, 18156 bytes, A Adds the file ok-green-square.png"="9/17/2019 3:26 PM, 28442 bytes, A Adds the file prompt.js"="9/17/2019 3:26 PM, 3327 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhbnogofnebnbocodmijnbmobmeakcdh Adds the file 000003.log"="2/21/2020 8:48 AM, 801 bytes, A Adds the file CURRENT"="2/21/2020 8:48 AM, 16 bytes, A Adds the file LOCK"="2/21/2020 8:48 AM, 0 bytes, A Adds the file LOG"="2/21/2020 8:51 AM, 184 bytes, A Adds the file MANIFEST-000001"="2/21/2020 8:48 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhbnogofnebnbocodmijnbmobmeakcdh Adds the file 000003.log"="2/21/2020 8:48 AM, 83 bytes, A Adds the file CURRENT"="2/21/2020 8:48 AM, 16 bytes, A Adds the file LOCK"="2/21/2020 8:48 AM, 0 bytes, A Adds the file LOG"="2/21/2020 8:51 AM, 183 bytes, A Adds the file MANIFEST-000001"="2/21/2020 8:48 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "bhbnogofnebnbocodmijnbmobmeakcdh"="REG_SZ", "15DC3F633D7F423DA767B2F951C1591AC6D70CD8A0F9FD87039C40B492BEF22C" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/21/20 Scan Time: 8:57 AM Log File: d560ec7c-547f-11ea-af09-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.823 Update Package Version: 1.0.19536 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235977 Threats Detected: 17 Threats Quarantined: 17 Time Elapsed: 37 min, 57 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.TightRopeInteractive.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|bhbnogofnebnbocodmijnbmobmeakcdh, Quarantined, 15100, 792704, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 3 PUP.Optional.TightRopeInteractive.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\bhbnogofnebnbocodmijnbmobmeakcdh, Quarantined, 15100, 792704, , , , PUP.Optional.TightRopeInteractive.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\bhbnogofnebnbocodmijnbmobmeakcdh, Quarantined, 15100, 792704, , , , PUP.Optional.TightRopeInteractive.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BHBNOGOFNEBNBOCODMIJNBMOBMEAKCDH, Quarantined, 15100, 792704, 1.0.19536, , ame, File: 13 PUP.Optional.TightRopeInteractive.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15100, 792704, , , , PUP.Optional.TightRopeInteractive.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15100, 792704, , , , PUP.Optional.TightRopeInteractive.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhbnogofnebnbocodmijnbmobmeakcdh\000003.log, Quarantined, 15100, 792704, , , , PUP.Optional.TightRopeInteractive.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhbnogofnebnbocodmijnbmobmeakcdh\CURRENT, Quarantined, 15100, 792704, , , , PUP.Optional.TightRopeInteractive.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhbnogofnebnbocodmijnbmobmeakcdh\LOCK, Quarantined, 15100, 792704, , , , PUP.Optional.TightRopeInteractive.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhbnogofnebnbocodmijnbmobmeakcdh\LOG, Quarantined, 15100, 792704, , , , PUP.Optional.TightRopeInteractive.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhbnogofnebnbocodmijnbmobmeakcdh\MANIFEST-000001, Quarantined, 15100, 792704, , , , PUP.Optional.TightRopeInteractive.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhbnogofnebnbocodmijnbmobmeakcdh\000003.log, Quarantined, 15100, 792704, , , , PUP.Optional.TightRopeInteractive.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhbnogofnebnbocodmijnbmobmeakcdh\CURRENT, Quarantined, 15100, 792704, , , , PUP.Optional.TightRopeInteractive.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhbnogofnebnbocodmijnbmobmeakcdh\LOCK, Quarantined, 15100, 792704, , , , PUP.Optional.TightRopeInteractive.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhbnogofnebnbocodmijnbmobmeakcdh\LOG, Quarantined, 15100, 792704, , , , PUP.Optional.TightRopeInteractive.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhbnogofnebnbocodmijnbmobmeakcdh\MANIFEST-000001, Quarantined, 15100, 792704, , , , PUP.Optional.TightRopeInteractive.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BHBNOGOFNEBNBOCODMIJNBMOBMEAKCDH\1.1.19.916_0\MANIFEST.JSON, Quarantined, 15100, 792704, 1.0.19536, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  2. What is TinyChill? The Malwarebytes research team has determined that TinyChill is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by TinyChill? You may see this entry in your list of installed Chrome extensions: and these warnings during install: You will see this icon in your Chrome menu-bar: and this changed setting: and if you have allowed notifications you may see popups like this one: How did TinyChill get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove TinyChill? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of TinyChill? No, Malwarebytes removes TinyChill completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Browser Guard, as well as the full version of Malwarebytes would have protected you against the TinyChill hijacker. They would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.tinychill.com CHR DefaultSearchURL: Default -> hxxps://feed.tinychill.com/?q={searchTerms}&publisher=tinychill&barcodeid=568620000000000 CHR DefaultSearchKeyword: Default -> TinyChill CHR DefaultSuggestURL: Default -> hxxps://api.tinychill.com/suggest/get?q={searchTerms} CHR Extension: (TinyChill) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\djlopnkmcpkkdnhgpffbnllnpinagcac [2020-02-20] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\djlopnkmcpkkdnhgpffbnllnpinagcac\1.0.0_0 Adds the file manifest.json"="2/20/2020 9:13 AM, 2038 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\djlopnkmcpkkdnhgpffbnllnpinagcac\1.0.0_0\_metadata Adds the file computed_hashes.json"="2/20/2020 9:13 AM, 6135 bytes, A Adds the file verified_contents.json"="1/21/2020 10:49 AM, 1921 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\djlopnkmcpkkdnhgpffbnllnpinagcac\1.0.0_0\images\icons Adds the file 128x128.png"="2/20/2020 9:13 AM, 9616 bytes, A Adds the file 16x16.png"="2/20/2020 9:13 AM, 703 bytes, A Adds the file 64x64.png"="2/20/2020 9:13 AM, 4415 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\djlopnkmcpkkdnhgpffbnllnpinagcac\1.0.0_0\scripts Adds the file background.js"="1/21/2020 10:49 AM, 513868 bytes, A Adds the file sitecontent.js"="1/21/2020 10:49 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_djlopnkmcpkkdnhgpffbnllnpinagcac Adds the file TinyChill.ico"="2/20/2020 9:13 AM, 202567 bytes, A Adds the file TinyChill.ico.md5"="2/20/2020 9:13 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "djlopnkmcpkkdnhgpffbnllnpinagcac"="REG_SZ", "FB8C6BEA0FCE4428CA8080CAF7ED4521D682EFDAA84AA0DA090D197E99C2F880" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/20/20 Scan Time: 9:26 AM Log File: a4494b36-53ba-11ea-be46-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.823 Update Package Version: 1.0.19482 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235874 Threats Detected: 8 Threats Quarantined: 8 Time Elapsed: 30 min, 51 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.TinyChill, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|djlopnkmcpkkdnhgpffbnllnpinagcac, Quarantined, 15071, 790797, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 1 PUP.Optional.TinyChill, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DJLOPNKMCPKKDNHGPFFBNLLNPINAGCAC, Quarantined, 15071, 790797, 1.0.19482, , ame, File: 6 PUP.Optional.TinyChill, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15071, 790797, , , , PUP.Optional.TinyChill, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15071, 790797, , , , PUP.Optional.TinyChill, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DJLOPNKMCPKKDNHGPFFBNLLNPINAGCAC\1.0.0_0\MANIFEST.JSON, Quarantined, 15071, 790797, 1.0.19482, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 217, 789477, 1.0.19482, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 217, 789477, 1.0.19482, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 217, 789477, 1.0.19482, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  3. What is SearchYA? The Malwarebytes research team has determined that SearchYA is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by SearchYA? You may see this entry in your list of installed Chrome extensions: and these warnings during install: You will see this icon in your Chrome menu-bar: and these changed settings: How did SearchYA get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove SearchYA? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of SearchYA? No, Malwarebytes removes SearchYA completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Browser Guard, as well as the full version of Malwarebytes would have protected you against the SearchYA hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://install.search-ya.com CHR DefaultSearchURL: Default -> hxxps://feed.search-ya.com/?q={searchTerms}&publisher=searchya&barcodeid=568630000000000 CHR DefaultSearchKeyword: Default -> SearchYA CHR DefaultSuggestURL: Default -> hxxps://api.search-ya.com/suggest/get?q={searchTerms} CHR Extension: (SearchYA) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hleencoclkeflkjlikhldjhafcpdgjjd [2020-02-19] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hleencoclkeflkjlikhldjhafcpdgjjd\1.0.0_0 Adds the file manifest.json"="2/19/2020 8:59 AM, 2032 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hleencoclkeflkjlikhldjhafcpdgjjd\1.0.0_0\_metadata Adds the file computed_hashes.json"="2/19/2020 8:59 AM, 6135 bytes, A Adds the file verified_contents.json"="1/20/2020 10:15 AM, 1921 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hleencoclkeflkjlikhldjhafcpdgjjd\1.0.0_0\images\icons Adds the file 128x128.png"="2/19/2020 8:59 AM, 4365 bytes, A Adds the file 16x16.png"="2/19/2020 8:59 AM, 544 bytes, A Adds the file 64x64.png"="2/19/2020 8:59 AM, 2224 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hleencoclkeflkjlikhldjhafcpdgjjd\1.0.0_0\scripts Adds the file background.js"="1/20/2020 10:15 AM, 513853 bytes, A Adds the file sitecontent.js"="1/20/2020 10:15 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_hleencoclkeflkjlikhldjhafcpdgjjd Adds the file SearchYA.ico"="2/19/2020 8:59 AM, 178477 bytes, A Adds the file SearchYA.ico.md5"="2/19/2020 8:59 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "hleencoclkeflkjlikhldjhafcpdgjjd"="REG_SZ", "0DD3C99E34CC2F160E4CD8AE8CF7CA1EF12BD63E355675C19850F799320FDE5B" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/19/20 Scan Time: 9:09 AM Log File: 1e3656fe-52ef-11ea-9658-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.823 Update Package Version: 1.0.19438 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235896 Threats Detected: 8 Threats Quarantined: 8 Time Elapsed: 3 min, 6 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SearchYa, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|hleencoclkeflkjlikhldjhafcpdgjjd, Quarantined, 411, 791984, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 1 PUP.Optional.SearchYa, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HLEENCOCLKEFLKJLIKHLDJHAFCPDGJJD, Quarantined, 411, 791984, 1.0.19438, , ame, File: 6 PUP.Optional.SearchYa, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 411, 791984, , , , PUP.Optional.SearchYa, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 411, 791984, , , , PUP.Optional.SearchYa, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HLEENCOCLKEFLKJLIKHLDJHAFCPDGJJD\1.0.0_0\MANIFEST.JSON, Quarantined, 411, 791984, 1.0.19438, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 217, 789466, 1.0.19438, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 217, 789466, 1.0.19438, , ame, PUP.Optional.PushNotifications, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 217, 789466, 1.0.19438, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  4. What is Email Search Tools? The Malwarebytes research team has determined that Email Search Tools is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. How do I know if my computer is affected by Email Search Tools? You may see this entry in your list of installed Chrome extensions: this icon in the Chrome menu-bar: this changed setting: and these warnings during install: How did Email Search Tools get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Email Search Tools? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Email Search Tools? No, Malwarebytes removes Email Search Tools completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, as well as the full version of Malwarebytes would have protected you against the Email Search Tools hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://search.emailsearchtools.com/s?query={searchTerms} CHR DefaultSearchKeyword: Default -> qs CHR Extension: (EmailSearchTools) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb [2020-02-18] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.3_0 Adds the file background.js"="9/18/2019 1:42 PM, 14032 bytes, A Adds the file icon.png"="2/18/2020 9:27 AM, 5491 bytes, A Adds the file manifest.json"="2/18/2020 9:27 AM, 1540 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.3_0\_locales\en Adds the file messages.json"="2/18/2020 9:27 AM, 266 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.3_0\_metadata Adds the file computed_hashes.json"="2/18/2020 9:27 AM, 630 bytes, A Adds the file verified_contents.json"="1/8/2020 4:17 PM, 1893 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.3_0\css Adds the file description.css"="5/3/2018 4:42 PM, 1008 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jghejomglpmejfcphjbfeplpdndfccbb\1.3_0\html\popup Adds the file description.html"="9/5/2019 2:07 PM, 240 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jghejomglpmejfcphjbfeplpdndfccbb Adds the file 000003.log"="2/18/2020 9:27 AM, 141 bytes, A Adds the file CURRENT"="2/18/2020 9:27 AM, 16 bytes, A Adds the file LOCK"="2/18/2020 9:27 AM, 0 bytes, A Adds the file LOG"="2/18/2020 9:30 AM, 183 bytes, A Adds the file MANIFEST-000001"="2/18/2020 9:27 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "jghejomglpmejfcphjbfeplpdndfccbb"="REG_SZ", "97E0F3A7AB704677C53A02393F770EDAD534C32F242AD71AAE6161493AF5A4A7" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/18/20 Scan Time: 9:49 AM Log File: a112250e-522b-11ea-b7ee-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.823 Update Package Version: 1.0.19396 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235882 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 33 min, 22 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|jghejomglpmejfcphjbfeplpdndfccbb, Quarantined, 205, 774169, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\jghejomglpmejfcphjbfeplpdndfccbb, Quarantined, 205, 774169, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JGHEJOMGLPMEJFCPHJBFEPLPDNDFCCBB, Quarantined, 205, 774169, 1.0.19396, , ame, File: 9 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 205, 774169, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 205, 774169, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jghejomglpmejfcphjbfeplpdndfccbb\000003.log, Quarantined, 205, 774169, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jghejomglpmejfcphjbfeplpdndfccbb\CURRENT, Quarantined, 205, 774169, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jghejomglpmejfcphjbfeplpdndfccbb\LOCK, Quarantined, 205, 774169, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jghejomglpmejfcphjbfeplpdndfccbb\LOG, Quarantined, 205, 774169, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jghejomglpmejfcphjbfeplpdndfccbb\MANIFEST-000001, Quarantined, 205, 774169, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JGHEJOMGLPMEJFCPHJBFEPLPDNDFCCBB\1.3_0\BACKGROUND.JS, Quarantined, 205, 774169, 1.0.19396, , ame, PUP.Optional.Spigot.PN, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 220, 786325, 1.0.19396, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  5. What is Search Pulse?The Malwarebytes research team has determined that Search Pulse is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one also changes the newtab page.How do I know if my computer is affected by Search Pulse?You may see this entry in your list of installed Chrome extensions:this icon in the Chrome menu-bar:these changed settings:and these warnings during install:How did Search Pulse get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website.How do I remove Search Pulse?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Search Pulse? No, Malwarebytes removes Search Pulse completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the Search Pulse hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR NewTab: Default -> Active:"chrome-extension://iifkpdclgffdnbijholnpbojbgpblhil/newtab/newtab.html" CHR DefaultSearchURL: Default -> hxxp://search.searchpulse.net/search?q={searchTerms} CHR DefaultSearchKeyword: Default -> Search Pulse CHR Extension: (Search Pulse) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iifkpdclgffdnbijholnpbojbgpblhil [2020-02-17] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iifkpdclgffdnbijholnpbojbgpblhil\1.7_0 Adds the file manifest.json"="2/17/2020 8:46 AM, 1785 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iifkpdclgffdnbijholnpbojbgpblhil\1.7_0\_metadata Adds the file computed_hashes.json"="2/17/2020 8:46 AM, 1058 bytes, A Adds the file verified_contents.json"="12/6/2016 3:27 PM, 2005 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iifkpdclgffdnbijholnpbojbgpblhil\1.7_0\html Adds the file modal.css"="12/1/2016 4:25 PM, 2230 bytes, A Adds the file modal.html"="12/6/2016 3:27 PM, 141 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iifkpdclgffdnbijholnpbojbgpblhil\1.7_0\images Adds the file icon48.png"="2/17/2020 8:46 AM, 1175 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iifkpdclgffdnbijholnpbojbgpblhil\1.7_0\newtab Adds the file newtab.html"="12/6/2016 3:27 PM, 267 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iifkpdclgffdnbijholnpbojbgpblhil\1.7_0\scripts Adds the file background.js"="12/6/2016 3:27 PM, 25711 bytes, A Adds the file foreground.js"="12/6/2016 3:27 PM, 17886 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iifkpdclgffdnbijholnpbojbgpblhil Adds the file 000003.log"="2/17/2020 8:52 AM, 865 bytes, A Adds the file CURRENT"="2/17/2020 8:46 AM, 16 bytes, A Adds the file LOCK"="2/17/2020 8:46 AM, 0 bytes, A Adds the file LOG"="2/17/2020 8:52 AM, 184 bytes, A Adds the file MANIFEST-000001"="2/17/2020 8:46 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "iifkpdclgffdnbijholnpbojbgpblhil"="REG_SZ", "ED9C51F6282C4009FF7E79F3DC4BBC0BB4BFE7135FF8C71EC67C5083E5294B60" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/17/20 Scan Time: 9:02 AM Log File: e8e64304-515b-11ea-bc79-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.823 Update Package Version: 1.0.19332 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235898 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 10 min, 47 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SearchPulse, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|iifkpdclgffdnbijholnpbojbgpblhil, Quarantined, 279, 790802, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.SearchPulse, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\iifkpdclgffdnbijholnpbojbgpblhil, Quarantined, 279, 790802, , , , PUP.Optional.SearchPulse, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IIFKPDCLGFFDNBIJHOLNPBOJBGPBLHIL, Quarantined, 279, 790802, 1.0.19332, , ame, File: 9 PUP.Optional.SearchPulse, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 279, 790802, , , , PUP.Optional.SearchPulse, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 279, 790802, , , , PUP.Optional.SearchPulse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iifkpdclgffdnbijholnpbojbgpblhil\000003.log, Quarantined, 279, 790802, , , , PUP.Optional.SearchPulse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iifkpdclgffdnbijholnpbojbgpblhil\CURRENT, Quarantined, 279, 790802, , , , PUP.Optional.SearchPulse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iifkpdclgffdnbijholnpbojbgpblhil\LOCK, Quarantined, 279, 790802, , , , PUP.Optional.SearchPulse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iifkpdclgffdnbijholnpbojbgpblhil\LOG, Quarantined, 279, 790802, , , , PUP.Optional.SearchPulse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iifkpdclgffdnbijholnpbojbgpblhil\MANIFEST-000001, Quarantined, 279, 790802, , , , PUP.Optional.SearchPulse, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IIFKPDCLGFFDNBIJHOLNPBOJBGPBLHIL\1.7_0\MANIFEST.JSON, Quarantined, 279, 790802, 1.0.19332, , ame, PUP.Optional.SearchPulse, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 279, 790803, 1.0.19332, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  6. What is Encrypted Search? The Malwarebytes research team has determined that Encrypted Search is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. How do I know if my computer is affected by Encrypted Search? You may see this entry in your list of installed Chrome extensions: this icon in the Chrome menu-bar: this changed setting: and these warnings during install: How did Encrypted Search get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Encrypted Search? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Encrypted Search? No, Malwarebytes removes Encrypted Search completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the Encrypted Search hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://www.encryptedsearch.org/encsearch?q={searchTerms} CHR DefaultSearchKeyword: Default -> ens CHR DefaultSuggestURL: Default -> hxxps://www.encryptedsearch.org/encsuggest?q={searchTerms} CHR Extension: (Encrypted Search) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobcdcioiildgbfeojoadlcicdnadpad [2020-02-14] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobcdcioiildgbfeojoadlcicdnadpad\3.6.2.4_0 Adds the file background.html"="7/1/2019 1:13 PM, 160 bytes, A Adds the file manifest.json"="2/14/2020 8:56 AM, 2266 bytes, A Adds the file panel.html"="7/1/2019 1:13 PM, 2090 bytes, A Adds the file settings.html"="7/1/2019 1:13 PM, 11545 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobcdcioiildgbfeojoadlcicdnadpad\3.6.2.4_0\_metadata Adds the file computed_hashes.json"="2/14/2020 8:56 AM, 8205 bytes, A Adds the file verified_contents.json"="7/1/2019 1:13 PM, 3067 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobcdcioiildgbfeojoadlcicdnadpad\3.6.2.4_0\css Adds the file tooltip.css"="7/1/2019 1:13 PM, 1300 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobcdcioiildgbfeojoadlcicdnadpad\3.6.2.4_0\img\ens Adds the file icon128.png"="2/14/2020 8:56 AM, 6316 bytes, A Adds the file icon16.png"="2/14/2020 8:56 AM, 499 bytes, A Adds the file icon16_disabled.png"="2/14/2020 8:56 AM, 499 bytes, A Adds the file icon48.png"="2/14/2020 8:56 AM, 1825 bytes, A Adds the file input-checked.png"="7/1/2019 1:13 PM, 318 bytes, A Adds the file input-unchecked.png"="7/1/2019 1:13 PM, 154 bytes, A Adds the file si-logo.png"="7/1/2019 1:13 PM, 18589 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobcdcioiildgbfeojoadlcicdnadpad\3.6.2.4_0\lib Adds the file bg.js"="7/1/2019 1:13 PM, 391577 bytes, A Adds the file page-protection.js"="7/1/2019 1:13 PM, 70172 bytes, A Adds the file panel.js"="7/1/2019 1:13 PM, 58322 bytes, A Adds the file savesettings.js"="7/1/2019 1:13 PM, 65834 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iobcdcioiildgbfeojoadlcicdnadpad Adds the file 000003.log"="2/14/2020 8:56 AM, 0 bytes, A Adds the file CURRENT"="2/14/2020 8:56 AM, 16 bytes, A Adds the file LOCK"="2/14/2020 8:56 AM, 0 bytes, A Adds the file LOG"="2/14/2020 8:56 AM, 0 bytes, A Adds the file MANIFEST-000001"="2/14/2020 8:56 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iobcdcioiildgbfeojoadlcicdnadpad Adds the file 000003.log"="2/14/2020 8:56 AM, 0 bytes, A Adds the file CURRENT"="2/14/2020 8:56 AM, 16 bytes, A Adds the file LOCK"="2/14/2020 8:56 AM, 0 bytes, A Adds the file LOG"="2/14/2020 8:56 AM, 0 bytes, A Adds the file MANIFEST-000001"="2/14/2020 8:56 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "iobcdcioiildgbfeojoadlcicdnadpad"="REG_SZ", "D123F8CFEFB53CC496BE4BA4BEAC7D15B29C24B934D823B74E59C4B8CF889167" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/14/20 Scan Time: 9:07 AM Log File: 0807a1f4-4f01-11ea-a0ef-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.823 Update Package Version: 1.0.19198 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236120 Threats Detected: 18 Threats Quarantined: 18 Time Elapsed: 9 min, 32 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.EncryptedSearch, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|iobcdcioiildgbfeojoadlcicdnadpad, Quarantined, 259, 733511, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 3 PUP.Optional.EncryptedSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\iobcdcioiildgbfeojoadlcicdnadpad, Quarantined, 259, 733511, , , , PUP.Optional.EncryptedSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\iobcdcioiildgbfeojoadlcicdnadpad, Quarantined, 259, 733511, , , , PUP.Optional.EncryptedSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\iobcdcioiildgbfeojoadlcicdnadpad, Quarantined, 259, 733511, 1.0.19198, , ame, File: 14 PUP.Optional.EncryptedSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 259, 733511, , , , PUP.Optional.EncryptedSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 259, 733511, , , , PUP.Optional.EncryptedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iobcdcioiildgbfeojoadlcicdnadpad\000003.log, Quarantined, 259, 733511, , , , PUP.Optional.EncryptedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iobcdcioiildgbfeojoadlcicdnadpad\CURRENT, Quarantined, 259, 733511, , , , PUP.Optional.EncryptedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iobcdcioiildgbfeojoadlcicdnadpad\LOCK, Quarantined, 259, 733511, , , , PUP.Optional.EncryptedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iobcdcioiildgbfeojoadlcicdnadpad\LOG, Quarantined, 259, 733511, , , , PUP.Optional.EncryptedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iobcdcioiildgbfeojoadlcicdnadpad\MANIFEST-000001, Quarantined, 259, 733511, , , , PUP.Optional.EncryptedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iobcdcioiildgbfeojoadlcicdnadpad\000003.log, Quarantined, 259, 733511, , , , PUP.Optional.EncryptedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iobcdcioiildgbfeojoadlcicdnadpad\CURRENT, Quarantined, 259, 733511, , , , PUP.Optional.EncryptedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iobcdcioiildgbfeojoadlcicdnadpad\LOCK, Quarantined, 259, 733511, , , , PUP.Optional.EncryptedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iobcdcioiildgbfeojoadlcicdnadpad\LOG, Quarantined, 259, 733511, , , , PUP.Optional.EncryptedSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iobcdcioiildgbfeojoadlcicdnadpad\MANIFEST-000001, Quarantined, 259, 733511, , , , PUP.Optional.EncryptedSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 259, 733510, 1.0.19198, , ame, PUP.Optional.EncryptedSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 259, 733510, 1.0.19198, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  7. What is MyPrintScreen? The Malwarebytes research team has determined that MyPrintScreen is a potentially unwanted program that behaves like a trojan. It downloads other threats to the affected system. How do I know if my computer is affected by MyPrintScreen? You may see this warning during install: this control on your desktop: this entry in your start menu: and this entry in your list of installed Programs and Features: You will see this menu when you make a screenshot: How did MyPrintScreen get on my computer? Adware applications use different methods for distributing themselves. This particular one was downloaded from their website: How do I remove MyPrintScreen? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of MyPrintScreen? You can uninstall MyPrintScreen after the reboot if you no longer wish to use it. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this potentially unwanted program. As you can see below the full version of Malwarebytes would have protected you against the MyPrintScreen PUP. It would have blocked the installer before it became too late. and both Malwarebytes Premium and Browser Guard would have blocked their domain: Technical details for experts Possible signs in FRST logs: (GenericTools Company) [File not signed] C:\Users\{username}\AppData\Local\GenericTools\GenericTools.exe (АЙ СI СI, ТОВ -> MyPrintScreen Company) C:\Users\{username}\AppData\Local\MyPrintScreen\MyPrintScreen.exe HKCU\...\Run: [MyPrintScreen] => C:\Users\{username}\AppData\Local\MyPrintScreen\MyPrintScreen.exe [442512 2018-01-19] (АЙ СI СI, ТОВ -> MyPrintScreen Company) HKCU\...\Run: [GenericTools] => C:\Users\{username}\AppData\Local\GenericTools\GenericTools.exe [233984 2020-02-04] (GenericTools Company) [File not signed] HKCU\...\Run: [SiSoft] => C:\Users\{username}\AppData\Local\GenericTools\SiSoft.exe [184832 2020-01-08] (SiSoft LTD) [File not signed] C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPrintScreen C:\Users\{username}\AppData\Local\MyPrintScreen C:\Users\{username}\AppData\Local\GenericTools MyPrintScreen (HKCU\...\MyPrintScreen_is1) (Version: 3.3.1.0 - MyPrintScreen Company) Significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\GenericTools Adds the file GenericTools.exe"="2/4/2020 4:15 PM, 233984 bytes, A Adds the file libcurl.dll"="11/28/2017 4:27 PM, 318976 bytes, A Adds the file libeay32.dll"="11/21/2017 10:00 AM, 1178112 bytes, A Adds the file msvcp100.dll"="6/11/2011 2:58 AM, 421200 bytes, A Adds the file msvcr100.dll"="6/11/2011 2:58 AM, 773968 bytes, A Adds the file QtCore4.dll"="8/7/2013 5:32 PM, 2598912 bytes, A Adds the file QtGui4.dll"="6/27/2013 12:16 PM, 8581632 bytes, A Adds the file QtNetwork4.dll"="6/27/2013 12:10 PM, 1053696 bytes, A Adds the file QtScript4.dll"="6/27/2013 11:23 AM, 1341440 bytes, A Adds the file QtWebKit4.dll"="6/27/2013 12:29 PM, 13112320 bytes, A Adds the file SiSoft.exe"="1/8/2020 3:23 PM, 184832 bytes, A Adds the file ssleay32.dll"="5/10/2012 10:10 PM, 265216 bytes, A Adds the file ws"="2/13/2020 10:37 AM, 7876 bytes, A Adds the folder C:\Users\{username}\AppData\Local\MyPrintScreen Adds the file msvcp100.dll"="6/11/2011 2:58 AM, 421200 bytes, A Adds the file msvcr100.dll"="6/11/2011 2:58 AM, 773968 bytes, A Adds the file MyPrintScreen.exe"="1/19/2018 5:42 PM, 442512 bytes, A Adds the file QtCore4.dll"="8/7/2013 5:32 PM, 2598912 bytes, A Adds the file QtGui4.dll"="6/27/2013 12:16 PM, 8581632 bytes, A Adds the file QtNetwork4.dll"="6/27/2013 12:10 PM, 1053696 bytes, A Adds the file unins000.dat"="2/13/2020 10:37 AM, 16128 bytes, A Adds the file unins000.exe"="2/13/2020 10:36 AM, 1287881 bytes, A Adds the folder C:\Users\{username}\AppData\Local\MyPrintScreen\imageformats Adds the file qgif4.dll"="11/26/2012 12:31 PM, 26624 bytes, A Adds the file qico4.dll"="11/26/2012 12:31 PM, 28672 bytes, A Adds the file qjpeg4.dll"="11/26/2012 12:31 PM, 201216 bytes, A Adds the file qmng4.dll"="11/26/2012 12:31 PM, 222208 bytes, A Adds the file qsvg4.dll"="11/26/2012 12:31 PM, 21504 bytes, A Adds the file qtga4.dll"="11/26/2012 12:32 PM, 19968 bytes, A Adds the file qtiff4.dll"="11/26/2012 12:31 PM, 287232 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPrintScreen Adds the file How to use MyPrintScreen.url"="2/13/2020 10:37 AM, 54 bytes, A Adds the file MyPrintScreen.lnk"="2/13/2020 10:37 AM, 1142 bytes, A Adds the file Uninstall MyPrintScreen.lnk"="2/13/2020 10:37 AM, 1117 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\GenericTools] "insterra"="REG_SZ", "191112" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "GenericTools"="REG_SZ", "C:\Users\{username}\AppData\Local\GenericTools\GenericTools.exe" "MyPrintScreen"="REG_SZ", "C:\Users\{username}\AppData\Local\MyPrintScreen\MyPrintScreen.exe" "SiSoft"="REG_SZ", "C:\Users\{username}\AppData\Local\GenericTools\SiSoft.exe" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\MyPrintScreen_is1] "DisplayIcon"="REG_SZ", "C:\Users\{username}\AppData\Local\MyPrintScreen\MyPrintScreen.exe" "DisplayName"="REG_SZ", "MyPrintScreen" "DisplayVersion"="REG_SZ", "3.3.1.0" "EstimatedSize"="REG_DWORD", 44930 "Inno Setup: App Path"="REG_SZ", "C:\Users\{username}\AppData\Local\MyPrintScreen" "Inno Setup: Icon Group"="REG_SZ", "MyPrintScreen" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.3 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20200213" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Local\MyPrintScreen\" "MajorVersion"="REG_DWORD", 3 "MinorVersion"="REG_DWORD", 3 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "MyPrintScreen Company" "QuietUninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Local\MyPrintScreen\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Local\MyPrintScreen\unins000.exe"" [HKEY_CURRENT_USER\Software\myprintscreen.com\MyPrintScreen] "first"="REG_SZ", "false" "Language"="REG_SZ", "en" "Show snap button"="REG_SZ", "true" [HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\C:\Users\{username}\AppData\Local\MyPrintScreen\imageformats] "qgif4.dll"="REG_MULTI_SZ, "2012-11-26T12:31:46 gif " "qico4.dll"="REG_MULTI_SZ, "2012-11-26T12:31:58 ico " "qjpeg4.dll"="REG_MULTI_SZ, "2012-11-26T12:31:44 jpeg jpg " "qmng4.dll"="REG_MULTI_SZ, "2012-11-26T12:31:50 mng " "qtga4.dll"="REG_MULTI_SZ, "2012-11-26T12:32:00 tga " "qtiff4.dll"="REG_MULTI_SZ, "2012-11-26T12:31:56 tiff tif " [HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.8.false\C:\Users\{username}\AppData\Local\MyPrintScreen\imageformats] "qgif4.dll"="REG_MULTI_SZ, "40804 0 Windows msvc release full-config 2012-11-26T12:31:46 " "qico4.dll"="REG_MULTI_SZ, "40804 0 Windows msvc release full-config 2012-11-26T12:31:58 " "qjpeg4.dll"="REG_MULTI_SZ, "40804 0 Windows msvc release full-config 2012-11-26T12:31:44 " "qmng4.dll"="REG_MULTI_SZ, "40804 0 Windows msvc release full-config 2012-11-26T12:31:50 " "qsvg4.dll"="REG_MULTI_SZ, "40804 0 Windows msvc release full-config 2012-11-26T12:31:52 " "qtga4.dll"="REG_MULTI_SZ, "40804 0 Windows msvc release full-config 2012-11-26T12:32:00 " "qtiff4.dll"="REG_MULTI_SZ, "40804 0 Windows msvc release full-config 2012-11-26T12:31:56 " Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/13/20 Scan Time: 12:17 PM Log File: 63d4d3bc-4e52-11ea-8df3-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.823 Update Package Version: 1.0.19150 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236126 Threats Detected: 33 Threats Quarantined: 32 Time Elapsed: 14 min, 29 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 2 RiskWare.Redirector, C:\USERS\{username}\APPDATA\LOCAL\GENERICTOOLS\GENERICTOOLS.EXE, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\SiSoft.exe, Quarantined, 4849, 467517, , , , Module: 15 RiskWare.Redirector, C:\USERS\{username}\APPDATA\LOCAL\GENERICTOOLS\GENERICTOOLS.EXE, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\libcurl.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\libeay32.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\libeay32.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\QtCore4.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\QtCore4.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\QtGui4.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\QtGui4.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\QtNetwork4.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\QtNetwork4.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\QtScript4.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\QtWebKit4.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\SiSoft.exe, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\ssleay32.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\ssleay32.dll, Quarantined, 4849, 467517, , , , Registry Key: 0 (No malicious items detected) Registry Value: 2 RiskWare.Redirector, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|GenericTools, Quarantined, 4849, 467517, , , , RiskWare.Redirector, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|SiSoft, Quarantined, 4849, 467517, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 1 RiskWare.Redirector, C:\USERS\{username}\APPDATA\LOCAL\GENERICTOOLS, whitelisted, 4849, 467517, 1.0.19150, 0C000076D500000028AD977C, dds, File: 13 RiskWare.Redirector, C:\USERS\{username}\APPDATA\LOCAL\GENERICTOOLS\GENERICTOOLS.EXE, Quarantined, 4849, 467517, 1.0.19150, 0C000076D500000028AD977C, dds, 00588077 RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\libcurl.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\libeay32.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\QtCore4.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\QtGui4.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\QtNetwork4.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\QtScript4.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\QtWebKit4.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\SiSoft.exe, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\ssleay32.dll, Quarantined, 4849, 467517, , , , RiskWare.Redirector, C:\Users\{username}\AppData\Local\GenericTools\ws, Quarantined, 4849, 467517, , , , PUP.Optional.SoundFrost, C:\USERS\{username}\DESKTOP\WEBSOFT.EXE, Quarantined, 161, 789932, 1.0.19150, , ame, PUP.Optional.SoundFrost, C:\USERS\{username}\DESKTOP\MYPRINTSCREEN.EXE, Quarantined, 161, 788387, 1.0.19150, 5BF1AFA902506587052E1825, dds, 00588077 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  8. What is Access Gov Docs Tab? The Malwarebytes research team has determined that Access Gov Docs Tab is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a newtab hijacker and uses web push notifications. How do I know if my computer is affected by Access Gov Docs Tab? You may see this browser extension: these warnings during install: You may see this new startpage: and this new setting: How did Access Gov Docs Tab get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website. How do I remove Access Gov Docs Tab? Our program Malwarebytes can detect and remove this potentially unwanted program. You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Access Gov Docs Tab? No, Malwarebytes' Anti-Malware removes Access Gov Docs Tab completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes, as well as Browser Guard, would have protected you against the Access Gov Docs Tab hijacker. It blocks their domains: Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://accessgovdocs.net CHR NewTab: Default -> Active:"chrome-extension://pkcbnkckeahemigpmionfaiclhdeellf/newtabhtml/newtabpage.html" CHR Extension: (Access Gov Docs Tab) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkcbnkckeahemigpmionfaiclhdeellf [2020-02-12] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkcbnkckeahemigpmionfaiclhdeellf\1.0_0 Adds the file central.js"="11/4/2019 4:54 PM, 2612 bytes, A Adds the file icon.png"="2/12/2020 8:57 AM, 5222 bytes, A Adds the file manifest.json"="2/12/2020 8:57 AM, 1363 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkcbnkckeahemigpmionfaiclhdeellf\1.0_0\_locales\en Adds the file messages.json"="2/12/2020 8:57 AM, 206 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkcbnkckeahemigpmionfaiclhdeellf\1.0_0\_metadata Adds the file computed_hashes.json"="2/12/2020 8:57 AM, 1609 bytes, A Adds the file verified_contents.json"="11/4/2019 4:54 PM, 3027 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkcbnkckeahemigpmionfaiclhdeellf\1.0_0\html\bAction Adds the file about.html"="11/4/2019 4:54 PM, 4050 bytes, A Adds the file newtabpage.html"="11/4/2019 4:54 PM, 214 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkcbnkckeahemigpmionfaiclhdeellf\1.0_0\js Adds the file browseraction.js"="11/4/2019 4:54 PM, 992 bytes, A Adds the file config.js"="11/4/2019 4:54 PM, 1014 bytes, A Adds the file dailyFeature.js"="11/4/2019 4:54 PM, 3479 bytes, A Adds the file diagnostic.js"="11/4/2019 4:54 PM, 874 bytes, A Adds the file log.js"="11/4/2019 4:54 PM, 880 bytes, A Adds the file newTab.js"="11/4/2019 4:54 PM, 2418 bytes, A Adds the file search.js"="11/4/2019 4:54 PM, 857 bytes, A Adds the file store.js"="11/4/2019 4:54 PM, 235 bytes, A Adds the file utility.js"="11/4/2019 4:54 PM, 2534 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkcbnkckeahemigpmionfaiclhdeellf\1.0_0\newtabhtml Adds the file newtabpage.html"="11/4/2019 4:54 PM, 207 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkcbnkckeahemigpmionfaiclhdeellf Adds the file 000003.log"="2/12/2020 8:57 AM, 436 bytes, A Adds the file CURRENT"="2/12/2020 8:57 AM, 16 bytes, A Adds the file LOCK"="2/12/2020 8:57 AM, 0 bytes, A Adds the file LOG"="2/12/2020 9:03 AM, 184 bytes, A Adds the file MANIFEST-000001"="2/12/2020 8:57 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "pkcbnkckeahemigpmionfaiclhdeellf"="REG_SZ", "1EC6E39BCCAD8954D53C75484C0712E68018C6906F0131AD4AEEA10CD5CC19FC" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/12/20 Scan Time: 9:08 AM Log File: e61a4dbe-4d6e-11ea-9609-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.823 Update Package Version: 1.0.19088 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235857 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 11 min, 31 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|pkcbnkckeahemigpmionfaiclhdeellf, Quarantined, 205, 752296, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Extensions\pkcbnkckeahemigpmionfaiclhdeellf, Quarantined, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\pkcbnkckeahemigpmionfaiclhdeellf, Quarantined, 205, 752296, , , , File: 8 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkcbnkckeahemigpmionfaiclhdeellf\000003.log, Quarantined, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkcbnkckeahemigpmionfaiclhdeellf\CURRENT, Quarantined, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkcbnkckeahemigpmionfaiclhdeellf\LOCK, Quarantined, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkcbnkckeahemigpmionfaiclhdeellf\LOG, Quarantined, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkcbnkckeahemigpmionfaiclhdeellf\MANIFEST-000001, Quarantined, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PKCBNKCKEAHEMIGPMIONFAICLHDEELLF\1.0_0\JS\DAILYFEATURE.JS, Quarantined, 205, 752296, 1.0.19088, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  9. What is Searchsio? The Malwarebytes research team has determined that Searchsio is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. How do I know if my computer is affected by Searchsio? You may see this entry in your list of installed Chrome extensions: this icon in the Chrome menu-bar: this changed setting: and these warnings during install: How did Searchsio get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Searchsio? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Searchsio? No, Malwarebytes removes Searchsio completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, as well as the full version of Malwarebytes would have protected you against the Searchsio hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.searchsio.com/?q={searchTerms}&publisher=searchsio&barcodeid=568580000000000 CHR DefaultSearchKeyword: Default -> Searchsio CHR DefaultSuggestURL: Default -> hxxps://api.searchsio.com/suggest/get?q={searchTerms} CHR Extension: (Searchsio) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bolckdodmilglagkpefcempiidghfbgj [2020-02-11] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bolckdodmilglagkpefcempiidghfbgj\1.0.0_0 Adds the file manifest.json"="2/11/2020 8:56 AM, 2038 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bolckdodmilglagkpefcempiidghfbgj\1.0.0_0\_metadata Adds the file computed_hashes.json"="2/11/2020 8:56 AM, 6135 bytes, A Adds the file verified_contents.json"="1/19/2020 12:43 PM, 1921 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bolckdodmilglagkpefcempiidghfbgj\1.0.0_0\images\icons Adds the file 128x128.png"="2/11/2020 8:56 AM, 10948 bytes, A Adds the file 16x16.png"="2/11/2020 8:56 AM, 747 bytes, A Adds the file 64x64.png"="2/11/2020 8:56 AM, 4478 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bolckdodmilglagkpefcempiidghfbgj\1.0.0_0\scripts Adds the file background.js"="1/19/2020 12:43 PM, 513868 bytes, A Adds the file sitecontent.js"="1/19/2020 12:43 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_bolckdodmilglagkpefcempiidghfbgj Adds the file Searchsio.ico"="2/11/2020 8:56 AM, 204420 bytes, A Adds the file Searchsio.ico.md5"="2/11/2020 8:56 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "bolckdodmilglagkpefcempiidghfbgj"="REG_SZ", "967457670AE6AA3FA28F271A327F7B20F3610E5515640159CB153281AF11517A" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/11/20 Scan Time: 9:09 AM Log File: da61f928-4ca5-11ea-96bc-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.810 Update Package Version: 1.0.19028 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235809 Threats Detected: 4 Threats Quarantined: 4 Time Elapsed: 12 min, 39 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.Searchsio, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|bolckdodmilglagkpefcempiidghfbgj, Quarantined, 2197, 789280, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 1 PUP.Optional.Searchsio, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\bolckdodmilglagkpefcempiidghfbgj, Quarantined, 2197, 789280, 1.0.19028, , ame, File: 2 PUP.Optional.Searchsio, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 2197, 789280, , , , PUP.Optional.Searchsio, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 2197, 789280, , , , Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  10. What is FreeTemplateFinder? The Malwarebytes research team has determined that FreeTemplateFinder is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. FreeTemplateFinder is a member of the Mindspark/Ask family now known as IAC Applications. How do I know if my computer is affected by FreeTemplateFinder? You may see these browser extensions/add-ons: these warnings during install: You may see this entry in your list of installed software: and this new homepage in the affected browsers: How did FreeTemplateFinder get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website. and the Chrome extension was also available in the webstore: How do I remove FreeTemplateFinder? Our program Malwarebytes can detect and remove this potentially unwanted program. You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of FreeTemplateFinder? No, Malwarebytes' Anti-Malware removes FreeTemplateFinder completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the FreeTemplateFinder hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://hp.myway.com/FreeTemplateFinder/t{tab}/index.html?n={n}&p2={p2}{tab}&ptb={ptb}&coid={coid} FF Homepage: Mozilla\Firefox\Profiles\{profile}.default -> moz-extension://b64f0546-a727-453a-96f5-8565da717b6d/dynamicHomePage.html FF HomepageOverride: Mozilla\Firefox\Profiles\{profile}.default -> Enabled: _psMembersttab03_@www.freetemplatefinder.com FF NewTabOverride: Mozilla\Firefox\Profiles\{profile}.default -> Enabled: _psMembersttab03_@www.freetemplatefinder.com FF Extension: (FreeTemplateFinder) - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_psMembersttab03_@www.freetemplatefinder.com.xpi [2020-02-10] [UpdateUrl:hxxps://updates.tb.ask.com/updateXpi.json?id=237229520&version=8.937.17.22630&track=TTAB03&trackRevision=1&fromId=_psMembersttab03_%40www.freetemplatefinder.com&isBridgeExtension=false] CHR NewTab: Default -> Active:"chrome-extension://jinolcibcadgfapgambehioklcionlpg/ntp1.html" CHR Extension: (FreeTemplateFinder) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jinolcibcadgfapgambehioklcionlpg [2020-02-10] C:\Users\{username}\AppData\Local\FreeTemplateFinderTooltab (Mindspark Interactive Network, Inc.) C:\Users\{username}\Desktop\freetemplatefinder.exe FreeTemplateFinder Internet Explorer Homepage and New Tab (HKCU\...\FreeTemplateFinderTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION Significant changes made by the installers: Monitored program FreeTemplateFinder Setup 2.8.1.1000 Monitored on 2/10/2020 9:11:50 AM Monitored program path File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\FreeTemplateFinderTooltab Adds the file TooltabExtension.dll"="12/7/2019 12:25 AM, 266864 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jinolcibcadgfapgambehioklcionlpg\13.921.17.10811_0 Adds the file manifest.json"="2/10/2020 9:09 AM, 2537 bytes, A Adds the file ntp1.html"="1/13/2020 4:34 PM, 1434 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jinolcibcadgfapgambehioklcionlpg\13.921.17.10811_0\_locales Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jinolcibcadgfapgambehioklcionlpg\13.921.17.10811_0\_metadata Adds the file computed_hashes.json"="2/10/2020 9:09 AM, 5628 bytes, A Adds the file verified_contents.json"="1/13/2020 4:34 PM, 7160 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jinolcibcadgfapgambehioklcionlpg\13.921.17.10811_0\config Adds the file config.json"="1/13/2020 4:34 PM, 1463 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jinolcibcadgfapgambehioklcionlpg\13.921.17.10811_0\icons Adds the file icon128.png"="2/10/2020 9:09 AM, 6251 bytes, A Adds the file icon16.png"="1/13/2020 4:34 PM, 1540 bytes, A Adds the file icon19disabled.png"="1/13/2020 4:34 PM, 1562 bytes, A Adds the file icon19on.png"="2/10/2020 9:09 AM, 701 bytes, A Adds the file icon48.png"="2/10/2020 9:09 AM, 2440 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jinolcibcadgfapgambehioklcionlpg\13.921.17.10811_0\js Adds the file ajax.js"="1/13/2020 4:34 PM, 3263 bytes, A Adds the file babAPI.js"="1/13/2020 4:34 PM, 5703 bytes, A Adds the file babClickHandler.js"="1/13/2020 4:34 PM, 11589 bytes, A Adds the file babContentScript.js"="1/13/2020 4:34 PM, 3749 bytes, A Adds the file babContentScriptAPI.js"="1/13/2020 4:34 PM, 9842 bytes, A Adds the file background.js"="1/13/2020 4:34 PM, 18898 bytes, A Adds the file browserUtils.js"="1/13/2020 4:34 PM, 1892 bytes, A Adds the file chrome.js"="1/13/2020 4:34 PM, 146 bytes, A Adds the file contentScriptConnectionManager.js"="1/13/2020 4:34 PM, 22964 bytes, A Adds the file dateTimeUtils.js"="1/13/2020 4:34 PM, 1213 bytes, A Adds the file dlp.js"="1/13/2020 4:34 PM, 5783 bytes, A Adds the file dlpHelper.js"="1/13/2020 4:34 PM, 1835 bytes, A Adds the file extensionDetect.js"="1/13/2020 4:34 PM, 4354 bytes, A Adds the file index.js"="1/13/2020 4:34 PM, 49 bytes, A Adds the file localStorageContentScript.js"="1/13/2020 4:34 PM, 2236 bytes, A Adds the file logger.js"="1/13/2020 4:34 PM, 531 bytes, A Adds the file meta.js"="1/13/2020 4:34 PM, 1660 bytes, A Adds the file offerService.js"="1/13/2020 4:34 PM, 16953 bytes, A Adds the file pageUtils.js"="1/13/2020 4:34 PM, 2905 bytes, A Adds the file PartnerId.js"="1/13/2020 4:34 PM, 16402 bytes, A Adds the file polyfill.js"="1/13/2020 4:34 PM, 875 bytes, A Adds the file product.js"="1/13/2020 4:34 PM, 7830 bytes, A Adds the file remoteConfigLoader.js"="1/13/2020 4:34 PM, 5053 bytes, A Adds the file searchBoxFocusSetterEdge.js"="1/13/2020 4:34 PM, 1648 bytes, A Adds the file splashPageRedirectHandler.js"="1/13/2020 4:34 PM, 2821 bytes, A Adds the file storageUtils.js"="1/13/2020 4:34 PM, 1718 bytes, A Adds the file TemplateParser.js"="1/13/2020 4:34 PM, 3153 bytes, A Adds the file ul.js"="1/13/2020 4:34 PM, 3969 bytes, A Adds the file urlFragmentActions.js"="1/13/2020 4:34 PM, 2453 bytes, A Adds the file urlUtils.js"="1/13/2020 4:34 PM, 5906 bytes, A Adds the file util.js"="1/13/2020 4:34 PM, 2779 bytes, A Adds the file webtooltabAPI.js"="1/13/2020 4:34 PM, 9768 bytes, A Adds the file webTooltabAPIProxy.js"="1/13/2020 4:34 PM, 8765 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jinolcibcadgfapgambehioklcionlpg Adds the file 000003.log"="2/10/2020 9:09 AM, 4661 bytes, A Adds the file CURRENT"="2/10/2020 9:09 AM, 16 bytes, A Adds the file LOCK"="2/10/2020 9:09 AM, 0 bytes, A Adds the file LOG"="2/10/2020 9:11 AM, 185 bytes, A Adds the file MANIFEST-000001"="2/10/2020 9:09 AM, 41 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _psMembersttab03_@www.freetemplatefinder.com.xpi"="2/10/2020 9:05 AM, 271344 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\FreeTemplateFinder] "Start Page"="REG_SZ", "https://hp.myway.com/FreeTemplateFinder/t{tab}/index.html?n={n}&p2={p2}{tab}&ptb={ptb}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "http://@{downloadDomain}.dl.myway.com/uninstall.jhtml?c={ptb}&ptb={p2}{tab}" [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "jinolcibcadgfapgambehioklcionlpg"="REG_SZ", "24B7D5F9475527EED993E75CDD7750E8174B2D8BB72858E8529ED92D9A004E67" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "https://hp.myway.com/FreeTemplateFinder/t{tab}/index.html?n={n}&p2={p2}{tab}&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\FreeTemplateFinderTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "FreeTemplateFinder Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\FreeTemplateFinderTooltab\TooltabExtension.dll" U uninstall:FreeTemplateFinder" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/10/20 Scan Time: 9:19 AM Log File: 1db22c34-4bde-11ea-a4d0-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.810 Update Package Version: 1.0.18978 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235811 Threats Detected: 23 Threats Quarantined: 23 Time Elapsed: 11 min, 43 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\FreeTemplateFinderTooltab\TooltabExtension.dll, Quarantined, 1799, 356944, , , , Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FreeTemplateFinderTooltab Uninstall Internet Explorer, Quarantined, 1799, 356944, , , , PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\FreeTemplateFinder, Quarantined, 1799, 444113, 1.0.18978, , ame, Registry Value: 4 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\FreeTemplateFinder|START PAGE, Quarantined, 1799, 444113, 1.0.18978, , ame, PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\FreeTemplateFinder|UNINSTALLSURVEYURL, Quarantined, 1799, 769449, 1.0.18978, , ame, PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FreeTemplateFinderTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, 696, 352442, 1.0.18978, , ame, PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|jinolcibcadgfapgambehioklcionlpg, Quarantined, 1799, 443121, , , , Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, 696, 293497, 1.0.18978, , ame, Data Stream: 0 (No malicious items detected) Folder: 3 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\FreeTemplateFinderTooltab, Quarantined, 1799, 356944, 1.0.18978, , ame, PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\jinolcibcadgfapgambehioklcionlpg, Quarantined, 1799, 443121, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JINOLCIBCADGFAPGAMBEHIOKLCIONLPG, Quarantined, 1799, 443121, 1.0.18978, , ame, File: 12 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\FreeTemplateFinderTooltab\TooltabExtension.dll, Quarantined, 1799, 356944, 1.0.18978, , ame, PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\_psMembersttab03_@www.freetemplatefinder.com.xpi, Quarantined, 1799, 782571, 1.0.18978, , ame, PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 1799, 443121, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 1799, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jinolcibcadgfapgambehioklcionlpg\000003.log, Quarantined, 1799, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jinolcibcadgfapgambehioklcionlpg\CURRENT, Quarantined, 1799, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jinolcibcadgfapgambehioklcionlpg\LOCK, Quarantined, 1799, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jinolcibcadgfapgambehioklcionlpg\LOG, Quarantined, 1799, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jinolcibcadgfapgambehioklcionlpg\MANIFEST-000001, Quarantined, 1799, 443121, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JINOLCIBCADGFAPGAMBEHIOKLCIONLPG\13.921.17.10811_0\MANIFEST.JSON, Quarantined, 1799, 443121, 1.0.18978, , ame, PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JINOLCIBCADGFAPGAMBEHIOKLCIONLPG\13.921.17.10811_0\CONFIG\CONFIG.JSON, Quarantined, 1799, 456842, 1.0.18978, , ame, PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\FREETEMPLATEFINDER.EXE, Quarantined, 696, 365288, 1.0.18978, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  11. What is Adware.Adposhel? The Malwarebytes research team has determined that Adware.Adposhel is adware. These adware applications display advertisements not originating from the sites you are browsing. This particular one changes Chrome policies to allow their own web push notifications. How do I know if my computer is affected by Adware.Adposhel? You may see this warnings after install: the installer runs Chrome with a new tab pointing to one of their sites and you may see these changed settings: with this text if you hover over one of the icons: How did Adware.Adposhel get on my computer? Adware applications use different methods for distributing themselves. This particular one was installed by a bundler. How do I remove Adware.Adposhel? Our program Malwarebytes can detect and remove this adware program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Adware.Adposhel? No, Malwarebytes removes Adware.Adposhel completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this adware. As you can see below the full version of Malwarebytes would have protected you against the Adware.Adposhel adware. It would have blocked the installer before it became too late. Installers of this type can be detected as Adware.Adpohel if the detection is based on file recognition: or as Virus.Agent if the detection is done heuristically: Technical details for experts Possible signs in FRST logs: CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION Significant changes made by the installer: Registry details ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome] "DefaultNotificationsSetting"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\NotificationsAllowedForUrls] "1"="REG_SZ", "https://[*.]aclassigned.info" "2"="REG_SZ", "https://[*.]insupposity.info" "3"="REG_SZ", "https://[*.]enclosely.info" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/3/20 Scan Time: 3:59 PM Log File: bfcb66f0-4695-11ea-bafa-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.793 Update Package Version: 1.0.18646 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235809 Threats Detected: 6 Threats Quarantined: 6 Time Elapsed: 30 min, 44 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 2 Adware.ForcedNotifications.ChrPRST, HKLM\SOFTWARE\POLICIES\GOOGLE\CHROME, Quarantined, 7033, -1, 0.0.0, , action, Adware.ForcedNotifications.ChrPRST, HKLM\SOFTWARE\WOW6432NODE\POLICIES\GOOGLE\CHROME, Quarantined, 7033, -1, 0.0.0, , action, Registry Value: 2 Adware.ForcedNotifications.ChrPRST, HKLM\SOFTWARE\WOW6432NODE\POLICIES\GOOGLE\CHROME\NOTIFICATIONSALLOWEDFORURLS|2, Quarantined, 7033, 786861, 1.0.18646, , ame, Adware.ForcedNotifications.ChrPRST, HKLM\SOFTWARE\POLICIES\GOOGLE\CHROME\NOTIFICATIONSALLOWEDFORURLS|2, Quarantined, 7033, 786861, 1.0.18646, , ame, Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 Adware.Adposhel, C:\USERS\{username}\DOWNLOADS\ADPOSHEL.EXE, Quarantined, 535, 508655, 1.0.18646, 1AE8D283FBBFE5398D87D6EB, dds, 00573913 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  12. What is Finding Forms Pro? The Malwarebytes research team has determined that Finding Forms Pro is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a newtab hijacker and uses web push notifications. How do I know if my computer is affected by Finding Forms Pro? You may see this browser extension: these warnings during install: this new startpage: and these new settings: How did Finding Forms Pro get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Finding Forms Pro? Our program Malwarebytes can detect and remove this potentially unwanted program. You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Finding Forms Pro? No, Malwarebytes' Anti-Malware removes Finding Forms Pro completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes, as well as Browser Guard would have protected you against the Finding Forms Pro hijacker. It blocks some of their domains: Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://hp.hformshere.com CHR NewTab: Default -> Active:"chrome-extension://dlefdpnpkfggdjonedjkccpfdclfgegg/newtabhtml/newtabpage.html" CHR Extension: (Finding Forms Pro) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlefdpnpkfggdjonedjkccpfdclfgegg [2020-02-06] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlefdpnpkfggdjonedjkccpfdclfgegg\1.2_0 Adds the file central.js"="1/24/2020 3:54 PM, 2344 bytes, A Adds the file icon.png"="2/6/2020 10:56 AM, 5222 bytes, A Adds the file manifest.json"="2/6/2020 10:56 AM, 1325 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlefdpnpkfggdjonedjkccpfdclfgegg\1.2_0\_locales\en Adds the file messages.json"="2/6/2020 10:56 AM, 204 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlefdpnpkfggdjonedjkccpfdclfgegg\1.2_0\_metadata Adds the file computed_hashes.json"="2/6/2020 10:56 AM, 1499 bytes, A Adds the file verified_contents.json"="1/29/2020 11:17 AM, 2912 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlefdpnpkfggdjonedjkccpfdclfgegg\1.2_0\html\bAction Adds the file about.html"="1/24/2020 3:54 PM, 3726 bytes, A Adds the file newtabpage.html"="1/24/2020 3:54 PM, 214 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlefdpnpkfggdjonedjkccpfdclfgegg\1.2_0\js Adds the file browseraction.js"="1/24/2020 3:54 PM, 988 bytes, A Adds the file config.js"="1/24/2020 3:54 PM, 1014 bytes, A Adds the file dailyFeature.js"="1/24/2020 3:54 PM, 3475 bytes, A Adds the file log.js"="1/24/2020 3:54 PM, 872 bytes, A Adds the file newTab.js"="1/24/2020 3:54 PM, 1507 bytes, A Adds the file search.js"="1/24/2020 3:54 PM, 1033 bytes, A Adds the file store.js"="1/24/2020 3:54 PM, 235 bytes, A Adds the file utility.js"="1/24/2020 3:54 PM, 2522 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlefdpnpkfggdjonedjkccpfdclfgegg\1.2_0\newtabhtml Adds the file newtabpage.html"="1/24/2020 3:54 PM, 207 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dlefdpnpkfggdjonedjkccpfdclfgegg Adds the file 000003.log"="2/6/2020 10:56 AM, 447 bytes, A Adds the file CURRENT"="2/6/2020 10:56 AM, 16 bytes, A Adds the file LOCK"="2/6/2020 10:56 AM, 0 bytes, A Adds the file LOG"="2/6/2020 11:00 AM, 183 bytes, A Adds the file MANIFEST-000001"="2/6/2020 10:56 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "dlefdpnpkfggdjonedjkccpfdclfgegg"="REG_SZ", "2A8D7CDFC553DD0C308830FDFAD3332E59991F14F3C52A4FAFAA9D68DC9F7F00" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/6/20 Scan Time: 11:05 AM Log File: 3da51bf0-48c8-11ea-9dcc-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.810 Update Package Version: 1.0.18788 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235813 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 20 min, 4 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|dlefdpnpkfggdjonedjkccpfdclfgegg, Quarantined, 205, 752296, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Extensions\dlefdpnpkfggdjonedjkccpfdclfgegg, Quarantined, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\dlefdpnpkfggdjonedjkccpfdclfgegg, Quarantined, 205, 752296, , , , File: 9 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dlefdpnpkfggdjonedjkccpfdclfgegg\000003.log, Quarantined, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dlefdpnpkfggdjonedjkccpfdclfgegg\CURRENT, Quarantined, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dlefdpnpkfggdjonedjkccpfdclfgegg\LOCK, Quarantined, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dlefdpnpkfggdjonedjkccpfdclfgegg\LOG, Quarantined, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dlefdpnpkfggdjonedjkccpfdclfgegg\MANIFEST-000001, Quarantined, 205, 752296, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DLEFDPNPKFGGDJONEDJKCCPFDCLFGEGG\1.2_0\JS\DAILYFEATURE.JS, Quarantined, 205, 752296, 1.0.18788, , ame, PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 156, 787624, 1.0.18788, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  13. What is Flight Tab Pro? The Malwarebytes research team has determined that Flight Tab Pro is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a newtab hijacker and uses web push notifications. How do I know if my computer is affected by Flight Tab Pro? You may see this browser extension: these warnings during install: You may see this icon in your browsers menu-bar: this new startpage: and these new settings: How did Flight Tab Pro get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Flight Tab Pro? Our program Malwarebytes can detect and remove this potentially unwanted program. You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Flight Tab Pro? No, Malwarebytes' Anti-Malware removes Flight Tab Pro completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Flight Tab Pro hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR Notifications: Default -> hxxps://flighttabpro.com CHR NewTab: Default -> Active:"chrome-extension://feokompmcbjpdcgbagmmgeflalabmkeh/html/index.html" CHR Extension: (Flight Tab Pro) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\feokompmcbjpdcgbagmmgeflalabmkeh [2020-02-05] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\feokompmcbjpdcgbagmmgeflalabmkeh\1.0.0.3_0 Adds the file background.js"="10/9/2019 10:10 AM, 9541 bytes, A Adds the file contentScript.js"="10/9/2019 10:10 AM, 5018 bytes, A Adds the file manifest.json"="2/5/2020 8:10 AM, 1573 bytes, A Adds the file misc.js"="10/9/2019 10:10 AM, 1733 bytes, A Adds the file util.js"="10/9/2019 10:10 AM, 5815 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\feokompmcbjpdcgbagmmgeflalabmkeh\1.0.0.3_0\_metadata Adds the file computed_hashes.json"="2/5/2020 8:10 AM, 1425 bytes, A Adds the file verified_contents.json"="10/9/2019 10:10 AM, 2435 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\feokompmcbjpdcgbagmmgeflalabmkeh\1.0.0.3_0\distJs Adds the file constants.js"="10/9/2019 10:10 AM, 4762 bytes, A Adds the file distribution.js"="10/9/2019 10:10 AM, 1744 bytes, A Adds the file helper.js"="10/9/2019 10:10 AM, 18598 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\feokompmcbjpdcgbagmmgeflalabmkeh\1.0.0.3_0\html Adds the file index.html"="10/9/2019 10:10 AM, 156 bytes, A Adds the file init.js"="10/9/2019 10:10 AM, 1372 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\feokompmcbjpdcgbagmmgeflalabmkeh\1.0.0.3_0\icons Adds the file icon128.png"="2/5/2020 8:10 AM, 4011 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "feokompmcbjpdcgbagmmgeflalabmkeh"="REG_SZ", "D636DAB31DE24573A9C40029C5A070C78818040A1EC43C2EFE0B881647553EC2" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/5/20 Scan Time: 8:23 AM Log File: 7676f858-47e8-11ea-96c9-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.810 Update Package Version: 1.0.18728 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235802 Threats Detected: 6 Threats Quarantined: 6 Time Elapsed: 27 min, 54 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.FlightTabPro, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|feokompmcbjpdcgbagmmgeflalabmkeh, Quarantined, 338, 787172, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 1 PUP.Optional.FlightTabPro, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FEOKOMPMCBJPDCGBAGMMGEFLALABMKEH, Quarantined, 338, 787172, 1.0.18728, , ame, File: 4 PUP.Optional.FlightTabPro, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 338, 787172, , , , PUP.Optional.FlightTabPro, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 338, 787172, , , , PUP.Optional.FlightTabPro, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FEOKOMPMCBJPDCGBAGMMGEFLALABMKEH\1.0.0.3_0\MANIFEST.JSON, Quarantined, 338, 787172, 1.0.18728, , ame, PUP.Optional.FlightTabPro, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 338, 787228, 1.0.18728, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  14. What is Max Uninstaller?The Malwarebytes research team has determined that Max Uninstaller is a "system tool". These so-called "system tools" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.How do I know if I am infected with Max Uninstaller?This is how the main screen of the system tool looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see these warnings during install:and these types of screens during "operations":You may see this entry in your list of installed programs:How did Max Uninstaller get on my computer?These so-called system tools use different methods of getting installed. This particular one was downloaded from their website:How do I remove Max Uninstaller?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Max Uninstaller? No, Malwarebytes removes Max Uninstaller completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the Max Uninstaller installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for expertsYou may see these entries in FRST logs: (Ideakee Inc -> ) C:\Program Files (x86)\Max Uninstaller\MU.exe C:\Users\Public\Desktop\Max Uninstaller.lnk C:\ProgramData\Desktop\Max Uninstaller.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Max Uninstaller C:\Program Files (x86)\Max Uninstaller (hxxps://www.maxuninstaller.com/ ) C:\Users\{username}\Desktop\MaxUninstaller_Setup.exe Max Uninstaller version 3.8 (HKLM-x32\...\{C7022C9B-4DE0-4A57-B395-ED3BFDB78D73}_is1) (Version: 3.8 - hxxps://www.maxuninstaller.com/) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\Max Uninstaller Adds the file ALMU.exe"="12/7/2016 11:03 AM, 849608 bytes, A Adds the file installedsoftware.txt"="2/4/2020 9:01 AM, 919 bytes, A Adds the file j_fixcs.dll"="4/8/2014 2:42 PM, 1937608 bytes, A Adds the file License.txt"="12/7/2016 11:13 AM, 6381 bytes, A Adds the file MU.exe"="5/9/2017 10:37 AM, 5458632 bytes, A Adds the file MU_UCC.exe"="12/7/2016 11:03 AM, 3222720 bytes, A Adds the file MU_Update.exe"="12/7/2016 11:04 AM, 2013896 bytes, A Adds the file s_fixcs.dll"="3/31/2014 4:14 PM, 3829960 bytes, A Adds the file sqlite3.dll"="3/31/2014 4:14 PM, 651936 bytes, A Adds the file unins000.dat"="2/4/2020 9:01 AM, 9055 bytes, A Adds the file unins000.exe"="2/4/2020 9:00 AM, 1190896 bytes, A Adds the file unins000.msg"="2/4/2020 9:01 AM, 22701 bytes, A Adds the file Uninstall.ico"="11/18/2011 3:35 PM, 17542 bytes, A Adds the file UnZip.dll"="3/3/2014 3:16 PM, 1223368 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Max Uninstaller Adds the file Max Uninstaller.lnk"="2/4/2020 9:01 AM, 1050 bytes, A Adds the file Uninstall Max Uninstaller.lnk"="2/4/2020 9:01 AM, 1174 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch Adds the file Max Uninstaller.lnk"="2/4/2020 9:01 AM, 1056 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file Max Uninstaller.lnk"="2/4/2020 9:01 AM, 1032 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{C7022C9B-4DE0-4A57-B395-ED3BFDB78D73}_is1] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\Max Uninstaller\Uninstall.ico" "DisplayName"="REG_SZ", "Max Uninstaller version 3.8" "DisplayVersion"="REG_SZ", "3.8" "EstimatedSize"="REG_DWORD", 20754 "HelpLink"="REG_SZ", "https://www.maxuninstaller.com/" "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\Max Uninstaller" "Inno Setup: Deselected Tasks"="REG_SZ", "" "Inno Setup: Icon Group"="REG_SZ", "Max Uninstaller" "Inno Setup: Language"="REG_SZ", "default" "Inno Setup: Selected Tasks"="REG_SZ", "desktopicon,quicklaunchicon" "Inno Setup: Setup Version"="REG_SZ", "5.5.5 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20200204" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\Max Uninstaller\" "MajorVersion"="REG_DWORD", 3 "MinorVersion"="REG_DWORD", 8 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "https://www.maxuninstaller.com/" "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\Max Uninstaller\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\Max Uninstaller\unins000.exe"" "URLInfoAbout"="REG_SZ", "https://www.maxuninstaller.com/" "URLUpdateInfo"="REG_SZ", "https://www.maxuninstaller.com/" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MU_FROM] "Id"="REG_EXPAND_SZ, "all" "LastUn"="REG_EXPAND_SZ, "no" "Site"="REG_EXPAND_SZ, "maxuninstaller.com" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/4/20 Scan Time: 9:11 AM Log File: e9422a74-4725-11ea-81d2-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.810 Update Package Version: 1.0.18684 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235914 Threats Detected: 34 Threats Quarantined: 34 Time Elapsed: 18 min, 4 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\MU.exe, Quarantined, 3170, 786750, , , , Module: 1 PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\MU.exe, Quarantined, 3170, 786750, , , , Registry Key: 2 PUP.Optional.MaxUninstaller, HKLM\SOFTWARE\WOW6432NODE\MU_FROM, Quarantined, 6959, 786754, 1.0.18684, , ame, PUP.Optional.MaxUnInstaller, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{C7022C9B-4DE0-4A57-B395-ED3BFDB78D73}_is1, Quarantined, 3170, 786750, , , , Registry Value: 1 PUP.Optional.MaxUninstaller, HKLM\SOFTWARE\WOW6432NODE\MU_FROM|SITE, Quarantined, 6959, 786754, 1.0.18684, , ame, Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.MaxUnInstaller, C:\PROGRAM FILES (X86)\MAX UNINSTALLER, Quarantined, 3170, 786750, 1.0.18684, , ame, PUP.Optional.MaxUnInstaller, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MAX UNINSTALLER, Quarantined, 3170, 786751, 1.0.18684, , ame, File: 27 PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\ALMU.exe, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\installedsoftware.txt, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\j_fixcs.dll, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\License.txt, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\MU.exe, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\MU_UCC.exe, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\MU_Update.exe, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\RAConfig.txt, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\SIConfig.txt, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\SLF_FI.txt, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\SLF_FL.txt, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\SLF_RG.txt, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\sqlite3.dll, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\s_fixcs.dll, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\unins000.dat, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\unins000.exe, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\unins000.msg, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\Uninstall.ico, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\uninstalledsoftware.txt, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\Program Files (x86)\Max Uninstaller\UnZip.dll, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\Max Uninstaller.lnk, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\USERS\{username}\APPDATA\ROAMING\Microsoft\Internet Explorer\Quick Launch\Max Uninstaller.lnk, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\USERS\PUBLIC\Desktop\Max Uninstaller.lnk, Quarantined, 3170, 786750, , , , PUP.Optional.MaxUnInstaller, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Max Uninstaller\Max Uninstaller.lnk, Quarantined, 3170, 786751, , , , PUP.Optional.MaxUnInstaller, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Max Uninstaller\Uninstall Max Uninstaller.lnk, Quarantined, 3170, 786751, , , , PUP.Optional.MaxUnInstaller, C:\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\LOCALCOPY\{435EC95C-BD80-49EA-BF45-9949E3ED7A71}-MAXUNINSTALLER_SETUP.EXE, Quarantined, 3170, 786767, 1.0.18684, , ame, PUP.Optional.MaxUnInstaller, C:\USERS\{username}\DESKTOP\MAXUNINSTALLER_SETUP.EXE, Quarantined, 3170, 786767, 1.0.18684, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  15. What is TotalRecipeSearch?The Malwarebytes research team has determined that TotalRecipeSearch is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.TotalRecipeSearch is a member of the Mindspark/Ask family now known as IAC Applications.How do I know if my computer is affected by TotalRecipeSearch?You may see this browser extension:these warnings during install:You may see this entry in your list of installed software:this new setting:and this new homepage in the affected browsers:How did TotalRecipeSearch get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website.and the Chrome extension was also available in the webstore:How do I remove TotalRecipeSearch?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of TotalRecipeSearch? No, Malwarebytes' Anti-Malware removes TotalRecipeSearch completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the TotalRecipeSearch hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and Malwarebytes Premium as well as Browser Guard block traffic to some of their domains: Technical details for expertsPossible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://hp.myway.com/totalrecipesearch/ttab02/index.html?n={n}&p2={p2}{tab}02&ptb={ptb}&coid={coid} CHR NewTab: Default -> Active:"chrome-extension://hlibgmpcgdamndobbdakjacfkachfgoi/ntp1.html" CHR Extension: (TotalRecipeSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi [2020-02-03] C:\Users\{username}\AppData\Local\TotalRecipeSearchTooltab (Mindspark Interactive Network, Inc.) C:\Users\{username}\Desktop\TotalRecipeSearch.exe TotalRecipeSearch Internet Explorer Homepage and New Tab (HKCU\...\TotalRecipeSearchTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0 Adds the file manifest.json"="2/3/2020 9:02 AM, 2537 bytes, A Adds the file ntp1.html"="1/13/2020 5:51 PM, 1434 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_metadata Adds the file computed_hashes.json"="2/3/2020 9:02 AM, 5628 bytes, A Adds the file verified_contents.json"="1/13/2020 5:51 PM, 7160 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\config Adds the file config.json"="1/13/2020 5:51 PM, 1457 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\icons Adds the file icon128.png"="2/3/2020 9:02 AM, 17561 bytes, A Adds the file icon16.png"="1/13/2020 5:51 PM, 1662 bytes, A Adds the file icon19disabled.png"="1/13/2020 5:51 PM, 1490 bytes, A Adds the file icon19on.png"="2/3/2020 9:02 AM, 809 bytes, A Adds the file icon48.png"="2/3/2020 9:02 AM, 4062 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js Adds the file ajax.js"="1/13/2020 5:51 PM, 3263 bytes, A Adds the file babAPI.js"="1/13/2020 5:51 PM, 5703 bytes, A Adds the file babClickHandler.js"="1/13/2020 5:51 PM, 11589 bytes, A Adds the file babContentScript.js"="1/13/2020 5:51 PM, 3749 bytes, A Adds the file babContentScriptAPI.js"="1/13/2020 5:51 PM, 9842 bytes, A Adds the file background.js"="1/13/2020 5:51 PM, 18898 bytes, A Adds the file browserUtils.js"="1/13/2020 5:51 PM, 1892 bytes, A Adds the file chrome.js"="1/13/2020 5:51 PM, 146 bytes, A Adds the file contentScriptConnectionManager.js"="1/13/2020 5:51 PM, 22964 bytes, A Adds the file dateTimeUtils.js"="1/13/2020 5:51 PM, 1213 bytes, A Adds the file dlp.js"="1/13/2020 5:51 PM, 5783 bytes, A Adds the file dlpHelper.js"="1/13/2020 5:51 PM, 1835 bytes, A Adds the file extensionDetect.js"="1/13/2020 5:51 PM, 4354 bytes, A Adds the file index.js"="1/13/2020 5:51 PM, 49 bytes, A Adds the file localStorageContentScript.js"="1/13/2020 5:51 PM, 2236 bytes, A Adds the file logger.js"="1/13/2020 5:51 PM, 531 bytes, A Adds the file meta.js"="1/13/2020 5:51 PM, 1660 bytes, A Adds the file offerService.js"="1/13/2020 5:51 PM, 16953 bytes, A Adds the file pageUtils.js"="1/13/2020 5:51 PM, 2905 bytes, A Adds the file PartnerId.js"="1/13/2020 5:51 PM, 16402 bytes, A Adds the file polyfill.js"="1/13/2020 5:51 PM, 875 bytes, A Adds the file product.js"="1/13/2020 5:51 PM, 7830 bytes, A Adds the file remoteConfigLoader.js"="1/13/2020 5:51 PM, 5053 bytes, A Adds the file searchBoxFocusSetterEdge.js"="1/13/2020 5:51 PM, 1648 bytes, A Adds the file splashPageRedirectHandler.js"="1/13/2020 5:51 PM, 2821 bytes, A Adds the file storageUtils.js"="1/13/2020 5:51 PM, 1718 bytes, A Adds the file TemplateParser.js"="1/13/2020 5:51 PM, 3153 bytes, A Adds the file ul.js"="1/13/2020 5:51 PM, 3969 bytes, A Adds the file urlFragmentActions.js"="1/13/2020 5:51 PM, 2453 bytes, A Adds the file urlUtils.js"="1/13/2020 5:51 PM, 5906 bytes, A Adds the file util.js"="1/13/2020 5:51 PM, 2779 bytes, A Adds the file webtooltabAPI.js"="1/13/2020 5:51 PM, 9768 bytes, A Adds the file webTooltabAPIProxy.js"="1/13/2020 5:51 PM, 8765 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hlibgmpcgdamndobbdakjacfkachfgoi Adds the file 000003.log"="2/3/2020 9:02 AM, 4583 bytes, A Adds the file CURRENT"="2/3/2020 9:02 AM, 16 bytes, A Adds the file LOCK"="2/3/2020 9:02 AM, 0 bytes, A Adds the file LOG"="2/3/2020 9:04 AM, 184 bytes, A Adds the file MANIFEST-000001"="2/3/2020 9:02 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\TotalRecipeSearchTooltab Adds the file TooltabExtension.dll"="11/27/2019 8:45 PM, 273008 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "hlibgmpcgdamndobbdakjacfkachfgoi"="REG_SZ", "6A08FA3902E5605314C09378C194E229DC78D6C3767B242DB6CC87A7781D8D11" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "https://hp.myway.com/totalrecipesearch/ttab02/index.html?n={n}&p2={p2}{tab}02&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\TotalRecipeSearchTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "TotalRecipeSearch Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\TotalRecipeSearchTooltab\TooltabExtension.dll" U uninstall:TotalRecipeSearch" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" [HKEY_CURRENT_USER\Software\TotalRecipeSearch] "Start Page"="REG_SZ", "https://hp.myway.com/totalrecipesearch/ttab02/index.html?n={n}&p2={p2}{tab}&ptb={ptb}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "https://@{downloadDomain}.dl.myway.com/uninstall.jhtml?c={ptb}&ptb={p2}{tab}" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/3/20 Scan Time: 9:11 AM Log File: c261019c-465c-11ea-864b-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.793 Update Package Version: 1.0.18624 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235928 Threats Detected: 87 Threats Quarantined: 87 Time Elapsed: 18 min, 23 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\TotalRecipeSearchTooltab\TooltabExtension.dll, Quarantined, 694, 766239, , , , Registry Key: 2 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\TotalRecipeSearchTooltab Uninstall Internet Explorer, Quarantined, 694, 766239, , , , PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\TotalRecipeSearch, Quarantined, 1802, 444113, 1.0.18624, , ame, Registry Value: 4 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\TotalRecipeSearch|START PAGE, Quarantined, 1802, 444113, 1.0.18624, , ame, PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\TotalRecipeSearch|UNINSTALLSURVEYURL, Quarantined, 1802, 769449, 1.0.18624, , ame, PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\TotalRecipeSearchTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, 694, 352442, 1.0.18624, , ame, PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|hlibgmpcgdamndobbdakjacfkachfgoi, Quarantined, 1802, 456842, , , , Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, 694, 293497, 1.0.18624, , ame, Data Stream: 0 (No malicious items detected) Folder: 18 PUP.Optional.MindSpark, C:\USERS\{username}\APPDATA\LOCAL\TOTALRECIPESEARCHTOOLTAB, Quarantined, 694, 766239, 1.0.18624, , ame, PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\hlibgmpcgdamndobbdakjacfkachfgoi, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\es_419, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\pt_BR, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\pt_PT, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\de, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\en, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\es, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\fr, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\it, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\ja, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_metadata, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\config, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\icons, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HLIBGMPCGDAMNDOBBDAKJACFKACHFGOI\13.921.17.11608_0, Quarantined, 1802, 456842, 1.0.18624, , ame, PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HLIBGMPCGDAMNDOBBDAKJACFKACHFGOI, Quarantined, 1802, 443121, 1.0.18624, , ame, File: 61 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\TotalRecipeSearchTooltab\TooltabExtension.dll, Quarantined, 694, 766239, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hlibgmpcgdamndobbdakjacfkachfgoi\000003.log, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hlibgmpcgdamndobbdakjacfkachfgoi\CURRENT, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hlibgmpcgdamndobbdakjacfkachfgoi\LOCK, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hlibgmpcgdamndobbdakjacfkachfgoi\LOG, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hlibgmpcgdamndobbdakjacfkachfgoi\MANIFEST-000001, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HLIBGMPCGDAMNDOBBDAKJACFKACHFGOI\13.921.17.11608_0\CONFIG\CONFIG.JSON, Quarantined, 1802, 456842, 1.0.18624, , ame, PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\icons\icon128.png, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\icons\icon16.png, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\icons\icon19disabled.png, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\icons\icon19on.png, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\icons\icon48.png, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\ajax.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\babAPI.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\babClickHandler.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\babContentScript.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\babContentScriptAPI.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\background.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\browserUtils.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\chrome.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\contentScriptConnectionManager.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\dateTimeUtils.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\dlp.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\dlpHelper.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\extensionDetect.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\index.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\localStorageContentScript.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\logger.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\meta.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\offerService.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\pageUtils.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\PartnerId.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\polyfill.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\product.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\remoteConfigLoader.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\searchBoxFocusSetterEdge.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\splashPageRedirectHandler.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\storageUtils.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\TemplateParser.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\ul.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\urlFragmentActions.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\urlUtils.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\util.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\webtooltabAPI.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\js\webTooltabAPIProxy.js, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\de\messages.json, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\en\messages.json, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\es\messages.json, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\es_419\messages.json, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\fr\messages.json, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\it\messages.json, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\ja\messages.json, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\pt_BR\messages.json, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_locales\pt_PT\messages.json, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_metadata\computed_hashes.json, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\_metadata\verified_contents.json, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlibgmpcgdamndobbdakjacfkachfgoi\13.921.17.11608_0\ntp1.html, Quarantined, 1802, 456842, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HLIBGMPCGDAMNDOBBDAKJACFKACHFGOI\13.921.17.11608_0\MANIFEST.JSON, Quarantined, 1802, 443121, 1.0.18624, , ame, PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\TOTALRECIPESEARCH.EXE, Quarantined, 694, 365288, 1.0.18624, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  16. What is Flash App+?The Malwarebytes research team has determined that Flash App+ is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Flash App+?You may see this entry in your list of installed Chrome extensions:this changed setting:and these warnings during install:How did Flash App+ get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Flash App+?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Flash App+? No, Malwarebytes removes Flash App+ completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, and the full version of Malwarebytes would have protected you against the Flash App+ hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://searchpowerapp.com/results.php?p=9134&v=401&q={searchTerms}&source=default CHR DefaultSearchKeyword: Default -> spa CHR DefaultSuggestURL: Default -> hxxps://searchpowerapp.com/gjson.php?q={searchTerms} CHR Extension: (Secure) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ainkecddphmmmgeddjpmhkggankhjhak [2020-01-31] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ainkecddphmmmgeddjpmhkggankhjhak\8.1.5_0 Adds the file background.js"="1/29/2020 6:41 PM, 5270 bytes, A Adds the file manifest.json"="1/31/2020 9:12 AM, 1604 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ainkecddphmmmgeddjpmhkggankhjhak\8.1.5_0\_metadata Adds the file computed_hashes.json"="1/31/2020 9:12 AM, 404 bytes, A Adds the file verified_contents.json"="1/29/2020 6:37 PM, 1648 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ainkecddphmmmgeddjpmhkggankhjhak\8.1.5_0\icons Adds the file icon128.png"="1/31/2020 9:12 AM, 2188 bytes, A Adds the file icon48.png"="1/31/2020 9:12 AM, 253 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ainkecddphmmmgeddjpmhkggankhjhak Adds the file 000003.log"="1/31/2020 9:13 AM, 51 bytes, A Adds the file CURRENT"="1/31/2020 9:13 AM, 16 bytes, A Adds the file LOCK"="1/31/2020 9:12 AM, 0 bytes, A Adds the file LOG"="1/31/2020 9:17 AM, 184 bytes, A Adds the file MANIFEST-000001"="1/31/2020 9:13 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ainkecddphmmmgeddjpmhkggankhjhak"="REG_SZ", "757026DD9FC4392B33B559F4495368FDA1CE2F34468154D258AA6B80428ECF4A" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/31/20 Scan Time: 9:22 AM Log File: e02556ee-4402-11ea-ae1f-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.793 Update Package Version: 1.0.18482 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236143 Threats Detected: 27 Threats Quarantined: 27 Time Elapsed: 10 min, 3 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SearchPowerApp.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ainkecddphmmmgeddjpmhkggankhjhak, Quarantined, 14971, 770853, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 5 PUP.Optional.SearchPowerApp.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\ainkecddphmmmgeddjpmhkggankhjhak, Quarantined, 14971, 770853, , , , PUP.Optional.SearchPowerApp.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ainkecddphmmmgeddjpmhkggankhjhak\8.1.5_0\_metadata, Quarantined, 14971, 770853, , , , PUP.Optional.SearchPowerApp.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ainkecddphmmmgeddjpmhkggankhjhak\8.1.5_0\icons, Quarantined, 14971, 770853, , , , PUP.Optional.SearchPowerApp.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ainkecddphmmmgeddjpmhkggankhjhak\8.1.5_0, Quarantined, 14971, 770853, , , , PUP.Optional.SearchPowerApp.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\AINKECDDPHMMMGEDDJPMHKGGANKHJHAK, Quarantined, 14971, 770853, 1.0.18482, , ame, File: 21 PUP.Optional.SearchPowerApp.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 14971, 770853, , , , PUP.Optional.SearchPowerApp.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 14971, 770853, , , , PUP.Optional.SearchPowerApp.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ainkecddphmmmgeddjpmhkggankhjhak\000003.log, Quarantined, 14971, 770853, , , , PUP.Optional.SearchPowerApp.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ainkecddphmmmgeddjpmhkggankhjhak\CURRENT, Quarantined, 14971, 770853, , , , PUP.Optional.SearchPowerApp.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ainkecddphmmmgeddjpmhkggankhjhak\LOCK, Quarantined, 14971, 770853, , , , PUP.Optional.SearchPowerApp.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ainkecddphmmmgeddjpmhkggankhjhak\LOG, Quarantined, 14971, 770853, , , , PUP.Optional.SearchPowerApp.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ainkecddphmmmgeddjpmhkggankhjhak\LOG.old, Quarantined, 14971, 770853, , , , PUP.Optional.SearchPowerApp.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ainkecddphmmmgeddjpmhkggankhjhak\MANIFEST-000001, Quarantined, 14971, 770853, , , , PUP.Optional.SearchPowerApp.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\AINKECDDPHMMMGEDDJPMHKGGANKHJHAK\8.1.5_0\BACKGROUND.JS, Quarantined, 14971, 770853, 1.0.18482, , ame, PUP.Optional.SearchPowerApp.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ainkecddphmmmgeddjpmhkggankhjhak\8.1.5_0\icons\icon128.png, Quarantined, 14971, 770853, , , , PUP.Optional.SearchPowerApp.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ainkecddphmmmgeddjpmhkggankhjhak\8.1.5_0\icons\icon48.png, Quarantined, 14971, 770853, , , , PUP.Optional.SearchPowerApp.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ainkecddphmmmgeddjpmhkggankhjhak\8.1.5_0\_metadata\computed_hashes.json, Quarantined, 14971, 770853, , , , PUP.Optional.SearchPowerApp.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ainkecddphmmmgeddjpmhkggankhjhak\8.1.5_0\_metadata\verified_contents.json, Quarantined, 14971, 770853, , , , PUP.Optional.SearchPowerApp.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ainkecddphmmmgeddjpmhkggankhjhak\8.1.5_0\manifest.json, Quarantined, 14971, 770853, , , , PUP.Optional.SearchPowerApp, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 233, 763703, 1.0.18482, , ame, PUP.Optional.SearchPowerApp, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, 233, 763703, 1.0.18482, , ame, Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, 399, 460701, 1.0.18482, , ame, PUP.Optional.SearchPowerApp, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 233, 763703, 1.0.18482, , ame, PUP.Optional.SearchPowerApp, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, 233, 763703, 1.0.18482, , ame, Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, 399, 460701, 1.0.18482, , ame, Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, 399, 460701, 1.0.18482, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  17. What is Major Lazer Fortnite Wallpapers Tab?The Malwarebytes research team has determined that Major Lazer Fortnite Wallpapers Tab is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Major Lazer Fortnite Wallpapers Tab?You may see this entry in your list of installed Chrome extensions:this icon in the Chrome menu-bar:this changed setting:this new search provider:and these warnings during install:How did Major Lazer Fortnite Wallpapers Tab get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Major Lazer Fortnite Wallpapers Tab?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Major Lazer Fortnite Wallpapers Tab? No, Malwarebytes removes Major Lazer Fortnite Wallpapers Tab completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below Malwarebytes Browser Guard, as well as the full version of Malwarebytes would have protected you against the Major Lazer Fortnite Wallpapers Tab hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR NewTab: Default -> Active:"chrome-extension://ifojiimfpncoblmdofkbbbomllckjbdh/start/index.html" CHR Extension: (Major Lazer Fortnite Wallpapers Tab) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh [2020-01-29] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0 Adds the file 128.png"="8/24/2019 9:19 AM, 13686 bytes, A Adds the file 16.png"="8/24/2019 9:19 AM, 556 bytes, A Adds the file manifest.json"="1/29/2020 9:07 AM, 2029 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\_metadata Adds the file computed_hashes.json"="1/29/2020 9:07 AM, 74190 bytes, A Adds the file verified_contents.json"="8/24/2019 9:19 AM, 18476 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start Adds the file favicon.ico"="6/2/2019 4:59 PM, 2043 bytes, A Adds the file index.html"="8/18/2019 2:40 PM, 29971 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\chrome Adds the file analytics.js"="6/2/2019 5:00 PM, 12902 bytes, A Adds the file common.js"="6/2/2019 5:00 PM, 3021 bytes, A Adds the file settings.js"="6/2/2019 5:00 PM, 2324 bytes, A Adds the file setup.js"="6/2/2019 5:00 PM, 16359 bytes, A Adds the file utils.js"="6/2/2019 5:00 PM, 4415 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\common Adds the file prefs-sys.js"="8/24/2019 9:19 AM, 754 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\external Adds the file jquery.pause.js"="6/2/2019 5:00 PM, 762 bytes, A Adds the file jquery-2.1.1.min.js"="6/2/2019 5:00 PM, 84245 bytes, A Adds the file jquery-ui.min.js"="6/2/2019 5:00 PM, 22324 bytes, A Adds the file md5.min.js"="6/2/2019 5:00 PM, 3884 bytes, A Adds the file string.min.js"="6/2/2019 5:00 PM, 27717 bytes, A Adds the file sweetalert.min.js"="6/2/2019 5:00 PM, 16884 bytes, A Adds the file tooltip.js"="6/2/2019 5:00 PM, 16719 bytes, A Adds the file underscore-min.js"="6/2/2019 5:00 PM, 16449 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\search Adds the file AutoSuggest.js"="6/2/2019 5:00 PM, 6825 bytes, A Adds the file content-homepage.js"="6/2/2019 5:00 PM, 4482 bytes, A Adds the file countdown.js"="6/2/2019 5:00 PM, 7336 bytes, A Adds the file effect.js"="6/2/2019 5:00 PM, 16769 bytes, A Adds the file front-load.js"="6/2/2019 5:00 PM, 5083 bytes, A Adds the file newtab-base.js"="6/2/2019 5:00 PM, 28813 bytes, A Adds the file relativeAppsFeature.js"="6/2/2019 5:00 PM, 3318 bytes, A Adds the file search-engines.js"="6/2/2019 5:00 PM, 813 bytes, A Adds the file search-form.js"="6/2/2019 5:00 PM, 24444 bytes, A Adds the file setTime.js"="6/2/2019 5:00 PM, 4760 bytes, A Adds the file stickynote.js"="6/2/2019 5:00 PM, 14887 bytes, A Adds the file todo_script.js"="6/2/2019 5:00 PM, 9568 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\audio Adds the file notification.wav"="6/2/2019 5:00 PM, 319532 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\css Adds the file animate.min.css"="6/2/2019 5:00 PM, 16956 bytes, A Adds the file styles.css"="6/2/2019 5:00 PM, 72477 bytes, A Adds the file sweetalert.css"="6/2/2019 5:00 PM, 22869 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\external Adds the file normalize.css"="6/2/2019 5:00 PM, 7589 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\fonts Adds the file glyphicons-halflings-regular.eot"="6/2/2019 5:00 PM, 20127 bytes, A Adds the file glyphicons-halflings-regular.svg"="6/2/2019 5:00 PM, 108738 bytes, A Adds the file glyphicons-halflings-regular.ttf"="6/2/2019 5:00 PM, 45404 bytes, A Adds the file glyphicons-halflings-regular.woff"="6/2/2019 5:00 PM, 23424 bytes, A Adds the file glyphicons-halflings-regular.woff2"="6/2/2019 5:00 PM, 18028 bytes, A Adds the file HelveticaNeue-Thin.otf"="6/2/2019 5:00 PM, 24888 bytes, A Adds the file neue.woff"="6/2/2019 5:00 PM, 14492 bytes, A Adds the file neue-bold.woff"="6/2/2019 5:00 PM, 48112 bytes, A Adds the file note.ttf"="6/2/2019 5:00 PM, 123760 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\images Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ifojiimfpncoblmdofkbbbomllckjbdh"="REG_SZ", "CF1D10AFE8C040FF909D329A064261E48AC4924AEAC30F90F1F1FD4D4486A3CB" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/30/20 Scan Time: 8:58 AM Log File: 3ebc00d6-4336-11ea-849a-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.793 Update Package Version: 1.0.18418 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236073 Threats Detected: 152 Threats Quarantined: 152 Time Elapsed: 41 min, 18 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.MegaThemes, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ifojiimfpncoblmdofkbbbomllckjbdh, Quarantined, 15094, 785528, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 18 PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\favicons, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\weather, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\google, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\external, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\images, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\audio, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\fonts, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\external, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\css, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\chrome, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\common, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\search, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\_metadata, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IFOJIIMFPNCOBLMDOFKBBBOMLLCKJBDH, Quarantined, 15094, 785528, 1.0.18418, , ame, File: 133 PUP.Optional.MegaThemes, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IFOJIIMFPNCOBLMDOFKBBBOMLLCKJBDH\3.5_0\MANIFEST.JSON, Quarantined, 15094, 785528, 1.0.18418, , ame, PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\chrome\analytics.js, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\chrome\common.js, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\chrome\settings.js, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\chrome\setup.js, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\chrome\utils.js, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\common\prefs-sys.js, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\external\jquery-2.1.1.min.js, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\external\jquery-ui.min.js, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\external\jquery.pause.js, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\external\md5.min.js, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\external\string.min.js, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\external\sweetalert.min.js, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\external\tooltip.js, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\external\underscore-min.js, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\search\AutoSuggest.js, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\search\content-homepage.js, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\search\countdown.js, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\search\effect.js, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\search\front-load.js, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\search\newtab-base.js, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\search\relativeAppsFeature.js, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\search\search-engines.js, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\search\search-form.js, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\search\setTime.js, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\search\stickynote.js, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\search\todo_script.js, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\audio\notification.wav, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\css\animate.min.css, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\css\styles.css, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\css\sweetalert.css, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\external\normalize.css, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\fonts\glyphicons-halflings-regular.eot, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\fonts\glyphicons-halflings-regular.svg, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\fonts\glyphicons-halflings-regular.ttf, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\fonts\glyphicons-halflings-regular.woff, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\fonts\glyphicons-halflings-regular.woff2, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\fonts\HelveticaNeue-Thin.otf, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\fonts\neue-bold.woff, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\fonts\neue.woff, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\fonts\note.ttf, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\favicons\amazon.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\favicons\ebay.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\favicons\facebook.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\favicons\google-plus.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\favicons\pinterest.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\favicons\reddit.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\favicons\tumblr.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\favicons\twitter.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\favicons\vk.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\favicons\wikipedia.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\favicons\yahoo.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\google\calendar.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\google\classroom.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\google\contacts.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\google\docs.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\google\drive.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\google\gmail.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\google\google-app-icons.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\google\hangouts.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\google\inbox.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\google\keep.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\google\maps.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\google\myaccount.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\google\news.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\google\photos.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\google\plus.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\google\sheets.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\google\translate.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\google\youtube.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\weather\01d.svg, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\weather\01n.svg, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\weather\02d.svg, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\weather\02n.svg, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\weather\03d.svg, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\weather\03n.svg, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\weather\04d.svg, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\weather\04n.svg, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\weather\09d.svg, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\weather\09n.svg, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\weather\10d.svg, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\weather\10n.svg, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\weather\11d.svg, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\weather\11n.svg, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\weather\13d.svg, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\weather\13n.svg, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\weather\50d.svg, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\weather\50n.svg, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\128.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\16.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\48.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\close.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\new.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\icons\popular.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\images\bg-01.jpg, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\images\bg-02.jpg, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\images\bg-03.jpg, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\images\bg-04.jpg, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\images\bg-05.jpg, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\images\bg-06.jpg, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\images\bg-07.jpg, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\images\bg-08.jpg, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\images\bg-09.jpg, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\images\bg-10.jpg, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\images\bing.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\images\brush-red.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\images\brush-white.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\images\brush.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\images\chrome.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\images\clock.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\images\cloud.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\images\cog.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\images\doodle.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\images\down.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\images\extension_grey.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\images\extension_grey_48x48.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\images\frame-bg-00.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\images\frame-bg-01.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\images\google.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\images\just-the-box.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\images\leaf.svg, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\images\pointer2.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\images\raining-footer.gif, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\images\yahoo.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\skin\images\yahoo.svg, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\favicon.ico, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\start\index.html, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\_metadata\computed_hashes.json, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\_metadata\verified_contents.json, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\128.png, Quarantined, 15094, 785528, , , , PUP.Optional.MegaThemes, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifojiimfpncoblmdofkbbbomllckjbdh\3.5_0\16.png, Quarantined, 15094, 785528, , , , Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  18. What is RunSpeedCheck? The Malwarebytes research team has determined that RunSpeedCheck is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. How do I know if my computer is affected by RunSpeedCheck? You may see this entry in your list of installed Chrome extensions: this icon in the Chrome menu-bar: this changed setting: and these warnings during install: How did RunSpeedCheck get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove RunSpeedCheck? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of RunSpeedCheck? No, Malwarebytes removes RunSpeedCheck completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below Malwarebytes Browser Guard, as well as the full version of Malwarebytes, would have protected you against the RunSpeedCheck hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.runspeedcheck.com/?q={searchTerms}&publisher=runspeedcheck&barcodeid=527040000000000 CHR DefaultSearchKeyword: Default -> RunSpeedCheck CHR DefaultSuggestURL: Default -> hxxps://api.runspeedcheck.com/suggest/get?q={searchTerms} CHR Extension: (RunSpeedCheck) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ppejaphgppeagedabhkocimkkieeoogm [2020-01-29] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ppejaphgppeagedabhkocimkkieeoogm\3.0.3_0 Adds the file manifest.json"="1/29/2020 10:36 AM, 2102 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ppejaphgppeagedabhkocimkkieeoogm\3.0.3_0\_metadata Adds the file computed_hashes.json"="1/29/2020 10:36 AM, 6135 bytes, A Adds the file verified_contents.json"="10/22/2019 12:39 PM, 1921 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ppejaphgppeagedabhkocimkkieeoogm\3.0.3_0\images\icons Adds the file 128x128.png"="1/29/2020 10:36 AM, 6519 bytes, A Adds the file 16x16.png"="1/29/2020 10:36 AM, 535 bytes, A Adds the file 64x64.png"="1/29/2020 10:36 AM, 2896 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ppejaphgppeagedabhkocimkkieeoogm\3.0.3_0\scripts Adds the file background.js"="10/22/2019 12:39 PM, 512283 bytes, A Adds the file sitecontent.js"="10/22/2019 12:39 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_ppejaphgppeagedabhkocimkkieeoogm Adds the file Run Speed Check.ico"="1/29/2020 10:36 AM, 186572 bytes, A Adds the file Run Speed Check.ico.md5"="1/29/2020 10:36 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ppejaphgppeagedabhkocimkkieeoogm"="REG_SZ", "3DA1AC9875DF7AD437685C36A9CC7666B7EC00F74F9767429FAFFCC35261C62C" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/29/20 Scan Time: 10:45 AM Log File: 1434ebc6-427c-11ea-9d59-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.793 Update Package Version: 1.0.18366 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236000 Threats Detected: 17 Threats Quarantined: 17 Time Elapsed: 7 min, 9 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.RunSpeedCheck, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|ppejaphgppeagedabhkocimkkieeoogm, Quarantined, 15104, 520400, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 6 PUP.Optional.RunSpeedCheck, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ppejaphgppeagedabhkocimkkieeoogm\3.0.3_0\images\icons, Quarantined, 15104, 520400, , , , PUP.Optional.RunSpeedCheck, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ppejaphgppeagedabhkocimkkieeoogm\3.0.3_0\_metadata, Quarantined, 15104, 520400, , , , PUP.Optional.RunSpeedCheck, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ppejaphgppeagedabhkocimkkieeoogm\3.0.3_0\scripts, Quarantined, 15104, 520400, , , , PUP.Optional.RunSpeedCheck, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ppejaphgppeagedabhkocimkkieeoogm\3.0.3_0\images, Quarantined, 15104, 520400, , , , PUP.Optional.RunSpeedCheck, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ppejaphgppeagedabhkocimkkieeoogm\3.0.3_0, Quarantined, 15104, 520400, , , , PUP.Optional.RunSpeedCheck, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PPEJAPHGPPEAGEDABHKOCIMKKIEEOOGM, Quarantined, 15104, 520400, 1.0.18366, , ame, File: 10 PUP.Optional.RunSpeedCheck, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15104, 520400, , , , PUP.Optional.RunSpeedCheck, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15104, 520400, , , , PUP.Optional.RunSpeedCheck, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PPEJAPHGPPEAGEDABHKOCIMKKIEEOOGM\3.0.3_0\MANIFEST.JSON, Quarantined, 15104, 520400, 1.0.18366, , ame, PUP.Optional.RunSpeedCheck, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ppejaphgppeagedabhkocimkkieeoogm\3.0.3_0\images\icons\128x128.png, Quarantined, 15104, 520400, , , , PUP.Optional.RunSpeedCheck, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ppejaphgppeagedabhkocimkkieeoogm\3.0.3_0\images\icons\16x16.png, Quarantined, 15104, 520400, , , , PUP.Optional.RunSpeedCheck, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ppejaphgppeagedabhkocimkkieeoogm\3.0.3_0\images\icons\64x64.png, Quarantined, 15104, 520400, , , , PUP.Optional.RunSpeedCheck, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ppejaphgppeagedabhkocimkkieeoogm\3.0.3_0\scripts\background.js, Quarantined, 15104, 520400, , , , PUP.Optional.RunSpeedCheck, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ppejaphgppeagedabhkocimkkieeoogm\3.0.3_0\scripts\sitecontent.js, Quarantined, 15104, 520400, , , , PUP.Optional.RunSpeedCheck, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ppejaphgppeagedabhkocimkkieeoogm\3.0.3_0\_metadata\computed_hashes.json, Quarantined, 15104, 520400, , , , PUP.Optional.RunSpeedCheck, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ppejaphgppeagedabhkocimkkieeoogm\3.0.3_0\_metadata\verified_contents.json, Quarantined, 15104, 520400, , , , Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  19. What is MarineAquariumLite? The Malwarebytes research team has determined that MarineAquariumLite is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. MarineAquariumLite is a member of the Mindspark/Ask family now known as IAC Applications. How do I know if my computer is affected by MarineAquariumLite? You may see this Chrome extension: these warnings during install: You may see this entry in your list of installed software: this new setting: and this new homepage/newtab in the affected browsers: How did MarineAquariumLite get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website. and the Chrome extension was also available in the webstore: How do I remove MarineAquariumLite? Our program Malwarebytes can detect and remove this potentially unwanted program. You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of MarineAquariumLite? No, Malwarebytes' Anti-Malware removes MarineAquariumLite completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the MarineAquariumLite hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://hp.myway.com/marineaquariumlite/ttab02/index.html?n={n}&p2={p2}{tab}&ptb={ptb}&coid={coid} CHR NewTab: Default -> Active:"chrome-extension://emaafcmenpnmpfalndeocphlebbecbkp/ntp1.html" CHR Extension: (MarineAquariumLite) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp [2020-01-28] C:\Users\{username}\AppData\Local\Marine Aquarium LiteTooltab Marine Aquarium Lite Internet Explorer Homepage and New Tab (HKCU\...\Marine Aquarium LiteTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0 Adds the file manifest.json"="1/28/2020 9:19 AM, 2557 bytes, A Adds the file ntp1.html"="1/14/2020 4:44 PM, 1434 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\_locales Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\_metadata Adds the file computed_hashes.json"="1/28/2020 9:19 AM, 7778 bytes, A Adds the file verified_contents.json"="1/14/2020 4:44 PM, 8817 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\config Adds the file config.json"="1/14/2020 4:44 PM, 2238 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\icons Adds the file icon128.png"="1/28/2020 9:19 AM, 35227 bytes, A Adds the file icon16.png"="1/28/2020 9:19 AM, 546 bytes, A Adds the file icon19disabled.png"="1/14/2020 4:44 PM, 646 bytes, A Adds the file icon19on.png"="1/28/2020 9:19 AM, 746 bytes, A Adds the file icon48.png"="1/28/2020 9:19 AM, 5955 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js Adds the file ajax.js"="1/14/2020 4:44 PM, 3263 bytes, A Adds the file babAPI.js"="1/14/2020 4:44 PM, 5950 bytes, A Adds the file babClickHandler.js"="1/14/2020 4:44 PM, 3485 bytes, A Adds the file babContentScript.js"="1/14/2020 4:44 PM, 10509 bytes, A Adds the file babContentScriptAPI.js"="1/14/2020 4:44 PM, 13191 bytes, A Adds the file babRemoteConfigProcessor.js"="1/14/2020 4:44 PM, 4311 bytes, A Adds the file babTypeFactory.js"="1/14/2020 4:44 PM, 1999 bytes, A Adds the file babTypeInjectionEmbededPage.js"="1/14/2020 4:44 PM, 3383 bytes, A Adds the file babTypeInjectionIframe.js"="1/14/2020 4:44 PM, 2114 bytes, A Adds the file babTypeInjectionIframeAPIProxy.js"="1/14/2020 4:44 PM, 3160 bytes, A Adds the file babTypeInjectionScript.js"="1/14/2020 4:44 PM, 4111 bytes, A Adds the file background.js"="1/14/2020 4:44 PM, 25379 bytes, A Adds the file browserUtils.js"="1/14/2020 4:44 PM, 1892 bytes, A Adds the file chrome.js"="1/14/2020 4:44 PM, 146 bytes, A Adds the file contentScriptConnectionManager.js"="1/14/2020 4:44 PM, 23600 bytes, A Adds the file dateTimeUtils.js"="1/14/2020 4:44 PM, 1213 bytes, A Adds the file dlp.js"="1/14/2020 4:44 PM, 5852 bytes, A Adds the file dlpHelper.js"="1/14/2020 4:44 PM, 1835 bytes, A Adds the file extensionDetect.js"="1/14/2020 4:44 PM, 4357 bytes, A Adds the file index.js"="1/14/2020 4:44 PM, 49 bytes, A Adds the file localStorageContentScript.js"="1/14/2020 4:44 PM, 2237 bytes, A Adds the file logger.js"="1/14/2020 4:44 PM, 531 bytes, A Adds the file loggingLevelUtils.js"="1/14/2020 4:44 PM, 1976 bytes, A Adds the file meta.js"="1/14/2020 4:44 PM, 1697 bytes, A Adds the file newTabPageRedirectHandler.js"="1/14/2020 4:44 PM, 2902 bytes, A Adds the file notificationService.js"="1/14/2020 4:44 PM, 15355 bytes, A Adds the file offerService.js"="1/14/2020 4:44 PM, 17241 bytes, A Adds the file pageUtils.js"="1/14/2020 4:44 PM, 3132 bytes, A Adds the file PartnerId.js"="1/14/2020 4:44 PM, 16402 bytes, A Adds the file polyfill.js"="1/14/2020 4:44 PM, 875 bytes, A Adds the file product.js"="1/14/2020 4:44 PM, 8007 bytes, A Adds the file pTagService.js"="1/14/2020 4:44 PM, 7125 bytes, A Adds the file remoteConfigLoader.js"="1/14/2020 4:44 PM, 6179 bytes, A Adds the file scheduler.js"="1/14/2020 4:44 PM, 4130 bytes, A Adds the file searchBoxFocusSetterEdge.js"="1/14/2020 4:44 PM, 1648 bytes, A Adds the file splashPageRedirectHandler.js"="1/14/2020 4:44 PM, 2821 bytes, A Adds the file storageUtils.js"="1/14/2020 4:44 PM, 1718 bytes, A Adds the file surveyService.js"="1/14/2020 4:44 PM, 5401 bytes, A Adds the file templateParser.js"="1/14/2020 4:44 PM, 3153 bytes, A Adds the file ul.js"="1/14/2020 4:44 PM, 5856 bytes, A Adds the file urlFragmentActions.js"="1/14/2020 4:44 PM, 2453 bytes, A Adds the file urlUtils.js"="1/14/2020 4:44 PM, 5991 bytes, A Adds the file util.js"="1/14/2020 4:44 PM, 5402 bytes, A Adds the file watchExtensionsHandler.js"="1/14/2020 4:44 PM, 10297 bytes, A Adds the file webtooltabAPI.js"="1/14/2020 4:44 PM, 9786 bytes, A Adds the file webTooltabAPIProxy.js"="1/14/2020 4:44 PM, 8782 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\emaafcmenpnmpfalndeocphlebbecbkp Adds the file 000003.log"="1/28/2020 9:19 AM, 7939 bytes, A Adds the file CURRENT"="1/28/2020 9:19 AM, 16 bytes, A Adds the file LOCK"="1/28/2020 9:19 AM, 0 bytes, A Adds the file LOG"="1/28/2020 9:21 AM, 184 bytes, A Adds the file MANIFEST-000001"="1/28/2020 9:19 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Marine Aquarium LiteTooltab Adds the file TooltabExtension.dll"="11/27/2019 8:44 PM, 273008 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "emaafcmenpnmpfalndeocphlebbecbkp"="REG_SZ", "8139A75E48CCBDE200F77426526BD168929263DFE73B69A9913DD9915B6CD8DE" [HKEY_CURRENT_USER\Software\Marine Aquarium Lite] "Start Page"="REG_SZ", "https://hp.myway.com/marineaquariumlite/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "https://@{downloadDomain}.dl.myway.com/uninstall.jhtml?c={ptb}&ptb={p2}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "https://hp.myway.com/marineaquariumlite/ttab02/index.html?n={n}&p2={p2}{tab}&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Marine Aquarium LiteTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "Marine Aquarium Lite Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\Marine Aquarium LiteTooltab\TooltabExtension.dll" U uninstall:Marine Aquarium Lite" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/28/20 Scan Time: 9:32 AM Log File: ac576c50-41a8-11ea-8da0-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.793 Update Package Version: 1.0.18296 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236034 Threats Detected: 100 Threats Quarantined: 100 Time Elapsed: 1 hr, 31 min, 48 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\Marine Aquarium LiteTooltab\TooltabExtension.dll, Quarantined, 1795, 356944, , , , Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Marine Aquarium LiteTooltab Uninstall Internet Explorer, Quarantined, 1795, 356944, , , , PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\Marine Aquarium Lite, Quarantined, 1795, 444113, 1.0.18296, , ame, Registry Value: 4 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\Marine Aquarium Lite|START PAGE, Quarantined, 1795, 444113, 1.0.18296, , ame, PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\Marine Aquarium Lite|UNINSTALLSURVEYURL, Quarantined, 1795, 769449, 1.0.18296, , ame, PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Marine Aquarium LiteTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, 686, 352442, 1.0.18296, , ame, PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|emaafcmenpnmpfalndeocphlebbecbkp, Quarantined, 1795, 443121, , , , Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, 686, 293497, 1.0.18296, , ame, Data Stream: 0 (No malicious items detected) Folder: 18 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\Marine Aquarium LiteTooltab, Quarantined, 1795, 356944, 1.0.18296, , ame, PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\emaafcmenpnmpfalndeocphlebbecbkp, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\_locales\es_419, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\_locales\pt_BR, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\_locales\pt_PT, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\_locales\de, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\_locales\en, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\_locales\es, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\_locales\fr, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\_locales\it, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\_locales\ja, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\_metadata, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\_locales, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\config, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\icons, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\EMAAFCMENPNMPFALNDEOCPHLEBBECBKP, Quarantined, 1795, 443121, 1.0.18296, , ame, File: 74 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\Marine Aquarium LiteTooltab\TooltabExtension.dll, Quarantined, 1795, 356944, 1.0.18296, , ame, PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\emaafcmenpnmpfalndeocphlebbecbkp\000003.log, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\emaafcmenpnmpfalndeocphlebbecbkp\CURRENT, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\emaafcmenpnmpfalndeocphlebbecbkp\LOCK, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\emaafcmenpnmpfalndeocphlebbecbkp\LOG, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\emaafcmenpnmpfalndeocphlebbecbkp\MANIFEST-000001, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\EMAAFCMENPNMPFALNDEOCPHLEBBECBKP\13.924.17.13265_0\MANIFEST.JSON, Quarantined, 1795, 443121, 1.0.18296, , ame, PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\config\config.json, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\icons\icon128.png, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\icons\icon16.png, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\icons\icon19disabled.png, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\icons\icon19on.png, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\icons\icon48.png, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\ajax.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\babAPI.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\babClickHandler.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\babContentScript.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\babContentScriptAPI.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\babRemoteConfigProcessor.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\babTypeFactory.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\babTypeInjectionEmbededPage.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\babTypeInjectionIframe.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\babTypeInjectionIframeAPIProxy.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\babTypeInjectionScript.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\background.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\browserUtils.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\chrome.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\contentScriptConnectionManager.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\dateTimeUtils.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\dlp.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\dlpHelper.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\extensionDetect.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\index.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\localStorageContentScript.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\logger.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\loggingLevelUtils.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\meta.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\newTabPageRedirectHandler.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\notificationService.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\offerService.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\pageUtils.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\PartnerId.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\polyfill.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\product.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\pTagService.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\remoteConfigLoader.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\scheduler.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\searchBoxFocusSetterEdge.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\splashPageRedirectHandler.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\storageUtils.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\surveyService.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\templateParser.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\ul.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\urlFragmentActions.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\urlUtils.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\util.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\watchExtensionsHandler.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\webtooltabAPI.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\js\webTooltabAPIProxy.js, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\_locales\de\messages.json, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\_locales\en\messages.json, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\_locales\es\messages.json, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\_locales\es_419\messages.json, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\_locales\fr\messages.json, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\_locales\it\messages.json, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\_locales\ja\messages.json, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\_locales\pt_BR\messages.json, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\_locales\pt_PT\messages.json, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\_metadata\computed_hashes.json, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\_metadata\verified_contents.json, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\emaafcmenpnmpfalndeocphlebbecbkp\13.924.17.13265_0\ntp1.html, Quarantined, 1795, 443121, , , , PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\MARINEAQUARIUMLITE.EXE, Quarantined, 686, 365288, 1.0.18296, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  20. What is web Patronos? The Malwarebytes research team has determined that web Patronos is a potentially unwanted program that behaves like adware. These adware applications display advertisements not originating from the sites you are browsing. How do I know if my computer is affected by web Patronos? This is the main menu of the Chrome extension: You may see these warnings during install: and this extension in your list of installed Chrome extensions: How did web Patronos get on my computer? Adware applications use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove web Patronos? Our program Malwarebytes can detect and remove this adware program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of web Patronos? No, Malwarebytes removes web Patronos completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this adware. As you can see below the full version of Malwarebytes, as well as Browser Guard, would have protected you against the web Patronos adware. It would have blocked the installer before it became too late. Technical details for experts Possible signs in FRST logs: HKCU\...\Run: [GoogleChromeAutoLaunch_3332BBCF0B575FD73CBC7F043B799440] => "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-startup-window /prefetch:5 CHR Extension: (web Patronos) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp [2020-01-27] Significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0 Adds the file manifest.json"="1/27/2020 9:03 AM, 1709 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\_locales Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\_metadata Adds the file computed_hashes.json"="1/27/2020 9:03 AM, 28409 bytes, A Adds the file verified_contents.json"="7/22/2019 12:56 AM, 5196 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\adguard Adds the file adguard-api.js"="7/22/2019 12:56 AM, 609160 bytes, A Adds the file adguard-content.js"="7/22/2019 12:56 AM, 205659 bytes, A Adds the file filters.json"="7/22/2019 12:56 AM, 41362 bytes, A Adds the file filters_i18n.json"="7/22/2019 12:56 AM, 257152 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\css Adds the file popup.73f385b3f6e7ed7f22ec4a78a99c218d.css"="7/22/2019 12:56 AM, 197199 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\fonts Adds the file element-icons.173084b.ttf"="7/22/2019 12:56 AM, 58380 bytes, A Adds the file element-icons.66650e1.woff"="7/22/2019 12:56 AM, 28940 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\icons Adds the file 128.png"="1/27/2020 9:03 AM, 6884 bytes, A Adds the file 16.png"="1/27/2020 9:03 AM, 675 bytes, A Adds the file 48.png"="1/27/2020 9:03 AM, 2476 bytes, A Adds the file icon.png"="7/22/2019 12:56 AM, 1723 bytes, A Adds the file icon-disabled.png"="7/22/2019 12:56 AM, 397 bytes, A Adds the file tooltip-icon.svg"="7/22/2019 12:56 AM, 382 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\img Adds the file wp-logo-blue.svg"="7/22/2019 12:56 AM, 22786 bytes, A Adds the file wp-logo-white.svg"="7/22/2019 12:56 AM, 22788 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\js Adds the file background.js"="7/22/2019 12:56 AM, 23100 bytes, A Adds the file manifest.js"="7/22/2019 12:56 AM, 811 bytes, A Adds the file popup.js"="7/22/2019 12:56 AM, 31026 bytes, A Adds the file tab.js"="7/22/2019 12:56 AM, 1087 bytes, A Adds the file vendor.js"="7/22/2019 12:56 AM, 795321 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\pages Adds the file app.html"="7/22/2019 12:56 AM, 522 bytes, A Adds the file background.html"="7/22/2019 12:56 AM, 594 bytes, A Adds the file popup.html"="7/22/2019 12:56 AM, 624 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gpeheaoamimekpbilbielhdgddangafp Adds the file 000003.log"="1/27/2020 9:03 AM, 0 bytes, A Adds the file CURRENT"="1/27/2020 9:03 AM, 16 bytes, A Adds the file LOCK"="1/27/2020 9:03 AM, 0 bytes, A Adds the file LOG"="1/27/2020 9:03 AM, 0 bytes, A Adds the file MANIFEST-000001"="1/27/2020 9:03 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "gpeheaoamimekpbilbielhdgddangafp"="REG_SZ", "28601E5A9073618943372EFD07A0735C8843DC6C8B52BB5061942A4B95E0EFBD" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "GoogleChromeAutoLaunch_3332BBCF0B575FD73CBC7F043B799440"="REG_SZ", ""C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-startup-window /prefetch:5" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/27/20 Scan Time: 10:11 AM Log File: 0e35e9ac-40e5-11ea-bc83-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.793 Update Package Version: 1.0.18278 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235537 Threats Detected: 65 Threats Quarantined: 65 Time Elapsed: 6 min, 31 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 21 PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\_locales\de, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\_locales\en, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\_locales\es, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\_locales\fr, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\_locales\it, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\_locales\nl, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\_locales\pl, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\_locales\pt, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\_locales\ru, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\_metadata, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\_locales, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\adguard, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\fonts, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\icons, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\pages, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\css, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\img, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\js, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\gpeheaoamimekpbilbielhdgddangafp, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\gpeheaoamimekpbilbielhdgddangafp, Quarantined, 2232, 783753, 1.0.18278, , ame, File: 43 PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\adguard\adguard-api.js, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\adguard\adguard-content.js, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\adguard\filters.json, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\adguard\filters_i18n.json, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\css\popup.73f385b3f6e7ed7f22ec4a78a99c218d.css, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\fonts\element-icons.173084b.ttf, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\fonts\element-icons.66650e1.woff, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\icons\128.png, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\icons\16.png, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\icons\48.png, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\icons\icon-disabled.png, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\icons\icon.png, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\icons\tooltip-icon.svg, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\img\wp-logo-blue.svg, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\img\wp-logo-white.svg, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\js\background.js, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\js\manifest.js, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\js\popup.js, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\js\tab.js, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\js\vendor.js, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\pages\app.html, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\pages\background.html, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\pages\popup.html, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\_locales\de\messages.json, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\_locales\en\messages.json, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\_locales\es\messages.json, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\_locales\fr\messages.json, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\_locales\it\messages.json, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\_locales\nl\messages.json, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\_locales\pl\messages.json, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\_locales\pt\messages.json, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\_locales\ru\messages.json, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\_metadata\computed_hashes.json, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\_metadata\verified_contents.json, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpeheaoamimekpbilbielhdgddangafp\1.0.1_0\manifest.json, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gpeheaoamimekpbilbielhdgddangafp\000003.log, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gpeheaoamimekpbilbielhdgddangafp\CURRENT, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gpeheaoamimekpbilbielhdgddangafp\LOCK, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gpeheaoamimekpbilbielhdgddangafp\LOG, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gpeheaoamimekpbilbielhdgddangafp\LOG.old, Quarantined, 2232, 783753, , , , PUP.Optional.WebPatronas, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gpeheaoamimekpbilbielhdgddangafp\MANIFEST-000001, Quarantined, 2232, 783753, , , , Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  21. What is SAntivirus?The Malwarebytes research team has determined that SAntivirus is a potentially unwanted program (PUP).How do I know if I am infected with SAntivirus?This is how the main screen of the PUP looks:You will find this icon in your taskbar, and your startmenu:You may see these warnings during install:these new services:this new driver:and this entry in your list of installed programs:How did SAntivirus get on my computer?These PUPs use different methods of getting installed. This particular one was installed by a bundler.How do I remove SAntivirus?Our program Malwarebytes can detect and remove this potentially unwanted application.This program needs to be removed in Safe Mode.Please follow these instructions:Run Malwarebytes from Safe Mode with Networking:Step 1:Boot into Safe Mode with Networking: Restart your computer. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point, you should gently tap the F8 key repeatedly until you are presented with the Advanced Boot Options menu. Select the option for Safe Mode with Networking using the arrow keys. Then press Enter on your keyboard to boot into Safe Mode. If prompted to choose a user account to login, click on your normal user name (not Administrator unless that is your normal user account) to log into Windows Step 2: Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system back into normal mode. Is there anything else I need to do to get rid of SAntivirus? No, Malwarebytes removes SAntivirus completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this PUP.As you can see below the full version of Malwarebytes would have protected you against the SAntivirus installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for expertsYou may see these entries in FRST logs: (Digital Communications Inc -> Digital Com. Inc) C:\Program Files (x86)\SAntivirus\SAntivirusClient.exe (Digital Communications Inc -> Digital Com. Inc) C:\Program Files (x86)\SAntivirus\SAntivirusIC.exe (Digital Communications Inc -> Digital Com. Inc) C:\Program Files (x86)\SAntivirus\SAntivirusService.exe "SAntivirusIC" => service was unlocked. <==== ATTENTION R2 SAntivirusIC; C:\Program Files (x86)\SAntivirus\SAntivirusIC.exe [6988496 2020-01-24] (Digital Communications Inc -> Digital Com. Inc) R2 SAntivirusSvc; C:\Program Files (x86)\SAntivirus\SAntivirusService.exe [141008 2020-01-24] (Digital Communications Inc -> Digital Com. Inc) R1 SANTIVIRUSKD; C:\Program Files (x86)\SAntivirus\SAntivirusKD.sys [90096 2020-01-24] (Digital Communications Inc. -> Digital Comm. Inc) C:\Users\{username}\AppData\Roaming\santivirusclient C:\Program Files (x86)\SAntivirus C:\ProgramData\SAntivirus C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SAntivirus (Digital Com. Inc ©) C:\Users\{username}\Desktop\SetupS.exe SAntivirus Product (HKLM-x32\...\SAntivirus) (Version: 1.0.21.19 - Digital Com. Inc) ContextMenuHandlers1: [SAntivirusShellExtension.FileContextMenuExt] -> {7784BE7F-A15C-4A41-ACF5-4CC020154952} => C:\Program Files (x86)\SAntivirus\SAntivirusShell64_v102119.dll [2020-01-24] (Digital Communications Inc -> Digital Com. Inc) ContextMenuHandlers4: [SAntivirusShellExtension.FileContextMenuExt] -> {7784BE7F-A15C-4A41-ACF5-4CC020154952} => C:\Program Files (x86)\SAntivirus\SAntivirusShell64_v102119.dll [2020-01-24] (Digital Communications Inc -> Digital Com. Inc) ContextMenuHandlers6: [SAntivirusShellExtension.FileContextMenuExt] -> {7784BE7F-A15C-4A41-ACF5-4CC020154952} => C:\Program Files (x86)\SAntivirus\SAntivirusShell64_v102119.dll [2020-01-24] (Digital Communications Inc -> Digital Com. Inc) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\SAntivirus Adds the file Errors.dat"="1/24/2020 9:50 AM, 330 bytes, A Adds the file ExclusionsList.dat"="1/24/2020 9:50 AM, 81196 bytes, A Adds the file Microsoft.Diagnostics.Tracing.TraceEvent.dll"="12/19/2018 12:23 PM, 1008944 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="12/19/2018 12:23 PM, 310784 bytes, A Adds the file package.dat"="12/26/2019 4:43 PM, 20129892 bytes, A Adds the file rsEngine.config"="1/24/2020 9:50 AM, 256 bytes, A Adds the file rsEngine.dll"="12/6/2019 2:43 PM, 5570328 bytes, A Adds the file rsEngineHelper.exe"="1/24/2020 9:48 AM, 164120 bytes, A Adds the file rsEngineHelper.exe.config"="12/19/2018 12:23 PM, 383 bytes, A Adds the file rsEngineSDK.dll"="12/6/2019 2:43 PM, 242456 bytes, A Adds the file SAntivirusClient.exe"="1/24/2020 9:48 AM, 1726672 bytes, A Adds the file SAntivirusClient.exe.config"="2/9/2019 5:44 PM, 427 bytes, A Adds the file SAntivirusEngine.dll"="1/24/2020 9:48 AM, 1031376 bytes, A Adds the file SAntivirusIC.config"="1/24/2020 9:54 AM, 1 bytes, A Adds the file SAntivirusIC.exe"="1/24/2020 9:48 AM, 6988496 bytes, A Adds the file SAntivirusKD.sys"="1/24/2020 9:48 AM, 90096 bytes, A Adds the file SAntivirusService.config"="1/24/2020 9:53 AM, 2048 bytes, A Adds the file SAntivirusService.exe"="1/24/2020 9:48 AM, 141008 bytes, A Adds the file SAntivirusService.exe.config"="2/9/2019 5:44 PM, 427 bytes, A Adds the file SAntivirusShell64_v102119.dll"="1/24/2020 9:48 AM, 185040 bytes, A Adds the file SAntivirusShell86_v102119.dll"="1/24/2020 9:48 AM, 154832 bytes, A Adds the file SAntivirusTools.dll"="1/24/2020 9:48 AM, 55504 bytes, A Adds the file SAntivirusUninstaller.exe"="1/24/2020 9:48 AM, 1253072 bytes, A Adds the file SAntivirusUninstaller.exe.config"="2/9/2019 5:44 PM, 427 bytes, A Adds the file Signatures.dat"="1/24/2020 9:50 AM, 1108824 bytes, A Adds the file SignaturesPacks.dat"="1/24/2020 9:50 AM, 204460 bytes, A Adds the file System.Threading.dll"="12/19/2018 12:23 PM, 387408 bytes, A Adds the file un.ico"="12/26/2019 4:04 PM, 34494 bytes, A Adds the file WhiteList.dat"="1/24/2020 9:50 AM, 311020 bytes, A Adds the folder C:\Program Files (x86)\SAntivirus\amd64 Adds the file KernelTraceControl.dll"="12/19/2018 12:23 PM, 223008 bytes, A Adds the file msdia140.dll"="12/19/2018 12:23 PM, 1380512 bytes, A Adds the folder C:\Program Files (x86)\SAntivirus\Cache Adds the folder C:\Program Files (x86)\SAntivirus\x64 Adds the file 7z64.dll"="12/19/2018 12:23 PM, 1646592 bytes, A Adds the file ext_x64.dll"="12/19/2018 12:23 PM, 375576 bytes, A Adds the file lz4_x64.dll"="12/19/2018 12:23 PM, 119064 bytes, A Adds the file rsEngineFW_x64.dll"="12/19/2018 12:23 PM, 104216 bytes, A Adds the file rsEnginePM_x64.dll"="12/19/2018 12:23 PM, 228120 bytes, A Adds the file rsLggrServer_x64.dll"="12/19/2018 12:23 PM, 821528 bytes, A Adds the file System.Data.SQLite.dll"="12/19/2018 12:23 PM, 1658136 bytes, A Adds the folder C:\Program Files (x86)\SAntivirus\x86 Adds the file 7z86.dll"="12/19/2018 12:23 PM, 1113088 bytes, A Adds the file ext_x86.dll"="12/19/2018 12:23 PM, 280344 bytes, A Adds the file KernelTraceControl.dll"="12/19/2018 12:23 PM, 167200 bytes, A Adds the file lz4_x86.dll"="12/19/2018 12:23 PM, 98584 bytes, A Adds the file msdia140.dll"="12/19/2018 12:23 PM, 1081656 bytes, A Adds the file rsEngineFW_x86.dll"="12/19/2018 12:23 PM, 88856 bytes, A Adds the file rsEnginePM_x86.dll"="12/19/2018 12:23 PM, 190744 bytes, A Adds the file rsLggrServer_x86.dll"="12/19/2018 12:23 PM, 569344 bytes, A Adds the file System.Data.SQLite.dll"="12/19/2018 12:23 PM, 1209624 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SAntivirus Adds the file SAntivirus Product.lnk"="1/24/2020 9:48 AM, 1011 bytes, A Adds the folder C:\ProgramData\SAntivirus Adds the file b.dat"="1/24/2020 9:48 AM, 19050864 bytes, A Adds the folder C:\ProgramData\SAntivirus\b Adds the file Microsoft.Diagnostics.Tracing.TraceEvent.dll"="12/19/2018 12:23 PM, 1008944 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="12/19/2018 12:23 PM, 310784 bytes, A Adds the file rsEngine.dll"="12/6/2019 2:43 PM, 5570328 bytes, A Adds the file rsEngineHelper.exe"="1/24/2020 9:48 AM, 164120 bytes, A Adds the file rsEngineHelper.exe.config"="12/19/2018 12:23 PM, 383 bytes, A Adds the file rsEngineSDK.dll"="12/6/2019 2:43 PM, 242456 bytes, A Adds the file SAntivirusClient.exe.config"="2/9/2019 5:44 PM, 427 bytes, A Adds the file SAntivirusService.exe.config"="2/9/2019 5:44 PM, 427 bytes, A Adds the file SAntivirusUninstaller.exe.config"="2/9/2019 5:44 PM, 427 bytes, A Adds the file System.Threading.dll"="12/19/2018 12:23 PM, 387408 bytes, A Adds the folder C:\ProgramData\SAntivirus\b\amd64 Adds the file KernelTraceControl.dll"="12/19/2018 12:23 PM, 223008 bytes, A Adds the file msdia140.dll"="12/19/2018 12:23 PM, 1380512 bytes, A Adds the folder C:\ProgramData\SAntivirus\b\x64 Adds the file 7z64.dll"="12/19/2018 12:23 PM, 1646592 bytes, A Adds the file ext_x64.dll"="12/19/2018 12:23 PM, 375576 bytes, A Adds the file lz4_x64.dll"="12/19/2018 12:23 PM, 119064 bytes, A Adds the file rsEngineFW_x64.dll"="12/19/2018 12:23 PM, 104216 bytes, A Adds the file rsEnginePM_x64.dll"="12/19/2018 12:23 PM, 228120 bytes, A Adds the file rsLggrServer_x64.dll"="12/19/2018 12:23 PM, 821528 bytes, A Adds the file System.Data.SQLite.dll"="12/19/2018 12:23 PM, 1658136 bytes, A Adds the folder C:\ProgramData\SAntivirus\b\x86 Adds the file 7z86.dll"="12/19/2018 12:23 PM, 1113088 bytes, A Adds the file ext_x86.dll"="12/19/2018 12:23 PM, 280344 bytes, A Adds the file KernelTraceControl.dll"="12/19/2018 12:23 PM, 167200 bytes, A Adds the file lz4_x86.dll"="12/19/2018 12:23 PM, 98584 bytes, A Adds the file msdia140.dll"="12/19/2018 12:23 PM, 1081656 bytes, A Adds the file rsEngineFW_x86.dll"="12/19/2018 12:23 PM, 88856 bytes, A Adds the file rsEnginePM_x86.dll"="12/19/2018 12:23 PM, 190744 bytes, A Adds the file rsLggrServer_x86.dll"="12/19/2018 12:23 PM, 569344 bytes, A Adds the file System.Data.SQLite.dll"="12/19/2018 12:23 PM, 1209624 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\santivirusclient Adds the file santivirusclientConfig.xml"="1/24/2020 9:50 AM, 1233 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\SAntivirusShellExtension.FileContextMenuExt] "(Default)"="REG_SZ", "{7784BE7F-A15C-4A41-ACF5-4CC020154952}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\ShellEx\ContextMenuHandlers\SAntivirusShellExtension.FileContextMenuExt] "(Default)"="REG_SZ", "{7784BE7F-A15C-4A41-ACF5-4CC020154952}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7784BE7F-A15C-4A41-ACF5-4CC020154952}] "(Default)"="REG_SZ", "SAntivirusShellExtension.FileContextMenuExt Class" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7784BE7F-A15C-4A41-ACF5-4CC020154952}\InprocServer32] "(Default)"="REG_SZ", "C:\Program Files (x86)\SAntivirus\SAntivirusShell64_v102119.dll" "ThreadingModel"="REG_SZ", "Apartment" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\SAntivirusShellExtension.FileContextMenuExt] "(Default)"="REG_SZ", "{7784BE7F-A15C-4A41-ACF5-4CC020154952}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\SAntivirusShellExtension.FileContextMenuExt] "(Default)"="REG_SZ", "{7784BE7F-A15C-4A41-ACF5-4CC020154952}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SAntivirusShellExtension.FileContextMenuExt] "(Default)"="REG_SZ", "{7784BE7F-A15C-4A41-ACF5-4CC020154952}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\*\shellex\ContextMenuHandlers\SAntivirusShellExtension.FileContextMenuExt] "(Default)"="REG_SZ", "{7784BE7F-A15C-4A41-ACF5-4CC020154952}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.lnk\shellex\ContextMenuHandlers\SAntivirusShellExtension.FileContextMenuExt] "(Default)"="REG_SZ", "{7784BE7F-A15C-4A41-ACF5-4CC020154952}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory\shellex\ContextMenuHandlers\SAntivirusShellExtension.FileContextMenuExt] "(Default)"="REG_SZ", "{7784BE7F-A15C-4A41-ACF5-4CC020154952}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\Folder\shellex\ContextMenuHandlers\SAntivirusShellExtension.FileContextMenuExt] "(Default)"="REG_SZ", "{7784BE7F-A15C-4A41-ACF5-4CC020154952}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\lnkfile\shellex\ContextMenuHandlers\SAntivirusShellExtension.FileContextMenuExt] "(Default)"="REG_SZ", "{7784BE7F-A15C-4A41-ACF5-4CC020154952}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7784BE7F-A15C-4A41-ACF5-4CC020154952}] "(Default)"="REG_SZ", "SAntivirusShellExtension.FileContextMenuExt Class" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7784BE7F-A15C-4A41-ACF5-4CC020154952}\InprocServer32] "(Default)"="REG_SZ", "C:\Program Files (x86)\SAntivirus\SAntivirusShell86_v102119.dll" "ThreadingModel"="REG_SZ", "Apartment" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\SAntivirus\Protected] [HKEY_LOCAL_MACHINE\SOFTWARE\SAntivirus] "campid"="REG_SZ", "" "channel"="REG_SZ", "" "DIUCIE"="REG_SZ", "oPeivQUmp1HQIdzZWWYABAr9vhEl/K1fdKcJ7hJ6vnywqDG2B5iBnmpea/CqXWRf" "EVNLSA"="REG_SZ", "637154562580668961" "fbsd_ictssd"="REG_DWORD", 1579820400 "FirstRun"="REG_SZ", "1/24/2020 9:50:00 AM" "INSTDT"="REG_SZ", "637154562016873158" "ite"="REG_DWORD", 1579855733 "iuid"="REG_SZ", "0" "lhsday"="REG_DWORD", 1579820400 "lvsday"="REG_DWORD", 1579820400 "pixel"="REG_SZ", "" "PMDPP"="REG_SZ", "0" "RGUSR"="REG_SZ", "637154562017964466" "SDKLFC"="REG_SZ", "637154562577666195" "SDKLUC"="REG_SZ", "637154562575272531" "ServicePipe"="REG_SZ", "SAntivirus1" "SIGLC"="REG_SZ", "1/24/2020 9:50:56 AM" "su"="REG_SZ", "8a803927793b13626b59dcb4adcbc283f2feda7d196e4eb3f807fb4cc6b183d9" "tg"="REG_SZ", "" "U"="REG_SZ", "0ab2630c-b6c0-4568-aa9d-7394687dd436" "UH"="REG_SZ", "840A88286A38BC706482266E552A7018" "WLLCK"="REG_SZ", "1/24/2020 9:50:57 AM" [HKEY_LOCAL_MACHINE\SOFTWARE\SegOption] "fst"="REG_DWORD", 1 "gui"="REG_DWORD", 42 "guisc"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SAntivirus] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\SAntivirus\un.ico" "DisplayName"="REG_SZ", "SAntivirus Product" "DisplayVersion"="REG_SZ", "1.0.21.19" "EstimatedSize"="REG_DWORD", 49640 "Publisher"="REG_SZ", "Digital Com. Inc" "UninstallString"="REG_SZ", "C:\Program Files (x86)\SAntivirus\SAntivirusUninstaller.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\SAntivirus\Protected] [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SAntivirus] "cr"="REG_DWORD", 1579855627 "EVNLSA"="REG_SZ", "637154562580668961" "FirstRun"="REG_SZ", "1/24/2020 9:50:00 AM" "IMode"="REG_DWORD", 0 "InstallDir"="REG_SZ", "C:\Program Files (x86)\SAntivirus" "INSTDT"="REG_SZ", "637154562016873158" "PMDPP"="REG_SZ", "0" "RGUSR"="REG_SZ", "637154562017964466" "SDKLFC"="REG_SZ", "637154562577666195" "SDKLUC"="REG_SZ", "637154562575272531" "SIGLC"="REG_SZ", "1/24/2020 9:50:56 AM" "U"="REG_SZ", "0ab2630c-b6c0-4568-aa9d-7394687dd436" "UH"="REG_SZ", "840A88286A38BC706482266E552A7018" "WLLCK"="REG_SZ", "1/24/2020 9:50:57 AM" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SAntivirusProduct] "InstallEnd"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\SAntivirusSvc] "EventMessageFile"="REG_EXPAND_SZ, "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EventLogMessages.dll" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SAntivirusIC] "Description"="REG_SZ", "This service protect your pc from viruses and spyware." "DisplayName"="REG_SZ", "SAntivirusIC" "ErrorControl"="REG_DWORD", 1 "FailureActions"="REG_BINARY, ............d...d...d. "ImagePath"="REG_EXPAND_SZ, "C:\Program Files (x86)\SAntivirus\SAntivirusIC.exe -service" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 "WOW64"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SAntivirusIC\Security] "Security"="REG_BINARY, ........0................p...."......................... ................................... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SANTIVIRUSKD] "DisplayName"="REG_SZ", "SAntivirus Kernel Driver" "ErrorControl"="REG_DWORD", 1 "Group"="REG_SZ", "SAntivirus Kernel Driver" "ImagePath"="REG_EXPAND_SZ, "\??\C:\Program Files (x86)\SAntivirus\SAntivirusKD.sys" "Start"="REG_DWORD", 1 "Tag"="REG_DWORD", 1 "Type"="REG_DWORD", 1 "WOW64"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SANTIVIRUSKD\Enum] "0"="REG_SZ", "Root\LEGACY_SANTIVIRUSKD\0000" "Count"="REG_DWORD", 1 "NextInstance"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SAntivirusSvc] "Description"="REG_SZ", "This service protect your pc from viruses and spyware." "DisplayName"="REG_SZ", "SAntivirusSvc" "ErrorControl"="REG_DWORD", 1 "FailureActions"="REG_BINARY, ............d...d...d. "ImagePath"="REG_EXPAND_SZ, "C:\Program Files (x86)\SAntivirus\SAntivirusService.exe" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 "WOW64"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SAntivirusSvc\Security] "Security"="REG_BINARY, ........0................p...."......................... ................................... Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/24/20 Scan Time: 11:00 AM Log File: 55ffdc54-3e90-11ea-b6a9-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.793 Update Package Version: 1.0.18176 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235953 Threats Detected: 37 Threats Quarantined: 37 Time Elapsed: 4 min, 5 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 22 PUP.Optional.Segurazo, HKLM\SOFTWARE\CLASSES\*\SHELLEX\CONTEXTMENUHANDLERS\SAntivirusShellExtension.FileContextMenuExt, Quarantined, 1553, 783943, 1.0.18176, , ame, PUP.Optional.Segurazo, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SAntivirusIC, Quarantined, 1553, 783952, 1.0.18176, , ame, PUP.Optional.Segurazo, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SANTIVIRUSKD, Quarantined, 1553, 783953, 1.0.18176, , ame, PUP.Optional.Segurazo, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SAntivirusSvc, Quarantined, 1553, 783954, 1.0.18176, , ame, PUP.Optional.Segurazo, HKLM\SOFTWARE\SAntivirus, Quarantined, 1553, 783949, 1.0.18176, , ame, PUP.Optional.Segurazo, HKLM\SOFTWARE\SegOption, Quarantined, 1553, 757809, 1.0.18176, , ame, PUP.Optional.Segurazo, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\SAntivirus, Quarantined, 1553, 783948, 1.0.18176, , ame, PUP.Optional.Segurazo, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SAntivirus, Quarantined, 1553, 783950, 1.0.18176, , ame, PUP.Optional.Segurazo, HKLM\SOFTWARE\CLASSES\SYSTEMFILEASSOCIATIONS\*\SHELLEX\CONTEXTMENUHANDLERS\SAntivirusShellExtension.FileContextMenuExt, Quarantined, 1553, 783945, 1.0.18176, , ame, PUP.Optional.Segurazo, HKLM\SOFTWARE\WOW6432NODE\SAntivirus, Quarantined, 1553, 783949, 1.0.18176, , ame, PUP.Optional.Segurazo, HKLM\SOFTWARE\WOW6432NODE\SAntivirusProduct, Quarantined, 1553, 783951, 1.0.18176, , ame, PUP.Optional.Segurazo, HKLM\SOFTWARE\MICROSOFT\TRACING\santivirusclient_RASAPI32, Quarantined, 1553, 783946, 1.0.18176, , ame, PUP.Optional.Segurazo, HKLM\SOFTWARE\MICROSOFT\TRACING\santivirusclient_RASMANCS, Quarantined, 1553, 783946, 1.0.18176, , ame, PUP.Optional.Segurazo, HKLM\SOFTWARE\MICROSOFT\TRACING\SAntivirusService_RASAPI32, Quarantined, 1553, 783947, 1.0.18176, , ame, PUP.Optional.Segurazo, HKLM\SOFTWARE\MICROSOFT\TRACING\SAntivirusService_RASMANCS, Quarantined, 1553, 783947, 1.0.18176, , ame, PUP.Optional.Segurazo, HKLM\SOFTWARE\MICROSOFT\WINDOWS\SAntivirus, Quarantined, 1553, 783948, 1.0.18176, , ame, PUP.Optional.Segurazo, HKLM\SOFTWARE\CLASSES\CLSID\{7784BE7F-A15C-4A41-ACF5-4CC020154952}, Quarantined, 1553, 783944, , , , PUP.Optional.Segurazo, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{7784BE7F-A15C-4A41-ACF5-4CC020154952}\InprocServer32, Quarantined, 1553, 783944, , , , PUP.Optional.Segurazo, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{7784BE7F-A15C-4A41-ACF5-4CC020154952}, Quarantined, 1553, 783944, , , , PUP.Optional.Segurazo, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{7784BE7F-A15C-4A41-ACF5-4CC020154952}\InprocServer32, Quarantined, 1553, 783944, , , , PUP.Optional.Segurazo, HKLM\SOFTWARE\CLASSES\CLSID\{7784BE7F-A15C-4A41-ACF5-4CC020154952}\InprocServer32, Quarantined, 1553, 783944, , , , PUP.Optional.Segurazo, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{7784BE7F-A15C-4A41-ACF5-4CC020154952}, Quarantined, 1553, 783944, 1.0.18176, , ame, Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 4 PUP.Optional.Segurazo, C:\PROGRAM FILES (X86)\SANTIVIRUS, Quarantined, 1553, 783938, 1.0.18176, , ame, PUP.Optional.Segurazo, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SANTIVIRUS, Quarantined, 1553, 783939, 1.0.18176, , ame, PUP.Optional.Segurazo, C:\PROGRAMDATA\SANTIVIRUS, Quarantined, 1553, 783940, 1.0.18176, , ame, PUP.Optional.Segurazo, C:\USERS\{username}\APPDATA\ROAMING\SANTIVIRUSCLIENT, Quarantined, 1553, 783941, 1.0.18176, , ame, File: 11 PUP.Optional.Segurazo, C:\PROGRAM FILES (X86)\SANTIVIRUS\SANTIVIRUSIC.EXE, Quarantined, 1553, 783952, , , , PUP.Optional.Segurazo, C:\PROGRAM FILES (X86)\SANTIVIRUS\SANTIVIRUSKD.SYS, Quarantined, 1553, 783953, , , , PUP.Optional.Segurazo, C:\PROGRAM FILES (X86)\SANTIVIRUS\SANTIVIRUSSERVICE.EXE, Quarantined, 1553, 783954, , , , PUP.Optional.Segurazo, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SAntivirus\SAntivirus Product.lnk, Quarantined, 1553, 783939, , , , PUP.Optional.Segurazo, C:\Users\{username}\AppData\Roaming\santivirusclient\santivirusclientConfig.xml, Quarantined, 1553, 783941, , , , PUP.Optional.Segurazo, C:\PROGRAM FILES (X86)\SANTIVIRUS\SANTIVIRUSSHELL64_V102119.DLL, Quarantined, 1553, 783944, , , , PUP.Optional.Segurazo, C:\PROGRAM FILES (X86)\SANTIVIRUS\SANTIVIRUSSHELL86_V102119.DLL, Quarantined, 1553, 783944, , , , PUP.Optional.Segurazo, C:\PROGRAM FILES (X86)\SANTIVIRUS\SANTIVIRUSKD.SYS, Quarantined, 1553, 783938, 1.0.18176, , ame, PUP.Optional.Segurazo, C:\PROGRAM FILES (X86)\SANTIVIRUS\SANTIVIRUSIC.EXE, Quarantined, 1553, 783938, 1.0.18176, , ame, PUP.Optional.Segurazo, C:\PROGRAM FILES (X86)\SANTIVIRUS\SANTIVIRUSSERVICE.EXE, Quarantined, 1553, 783938, 1.0.18176, , ame, PUP.Optional.Segurazo, C:\USERS\{username}\DESKTOP\SETUPS.EXE, Quarantined, 1553, 783956, 1.0.18176, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  22. What is The Cooking Club? The Malwarebytes research team has determined that The Cooking Club is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by The Cooking Club? You may see this entry in your list of installed Chrome extensions: and these warnings during install: You will see this icon in your Chrome menu-bar: and these changed settings: How did The Cooking Club get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove The Cooking Club? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of The Cooking Club? No, Malwarebytes removes The Cooking Club completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the The Cooking Club hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.thecooking.club/?q={searchTerms}&publisher=thecookingclub&barcodeid=550870000000000 CHR DefaultSearchKeyword: Default -> TheCookingClub CHR DefaultSuggestURL: Default -> hxxps://api.thecooking.club/suggest/get?q={searchTerms} CHR Notifications: Default -> hxxps://install.thecooking.club CHR Extension: (TheCookingClub) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaghkhgcphifedcphoomdcjidnfhpjb [2020-01-23] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaghkhgcphifedcphoomdcjidnfhpjb\3.0.3_0 Adds the file manifest.json"="1/23/2020 8:56 AM, 2097 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaghkhgcphifedcphoomdcjidnfhpjb\3.0.3_0\_metadata Adds the file computed_hashes.json"="1/23/2020 8:56 AM, 6088 bytes, A Adds the file verified_contents.json"="10/11/2019 6:59 PM, 1921 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaghkhgcphifedcphoomdcjidnfhpjb\3.0.3_0\images\icons Adds the file 128x128.png"="1/23/2020 8:56 AM, 5776 bytes, A Adds the file 16x16.png"="1/23/2020 8:56 AM, 551 bytes, A Adds the file 64x64.png"="1/23/2020 8:56 AM, 2801 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaghkhgcphifedcphoomdcjidnfhpjb\3.0.3_0\scripts Adds the file background.js"="10/3/2019 7:28 PM, 511630 bytes, A Adds the file sitecontent.js"="10/3/2019 7:28 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_gpaghkhgcphifedcphoomdcjidnfhpjb Adds the file The Cooking Club.ico"="1/23/2020 8:56 AM, 189776 bytes, A Adds the file The Cooking Club.ico.md5"="1/23/2020 8:56 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "gpaghkhgcphifedcphoomdcjidnfhpjb"="REG_SZ", "9F7F72C0999F624F27A10A4AD540C7CFEE466FE42850109DFF50E50118A1822A" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/23/20 Scan Time: 9:13 AM Log File: 31d94ae6-3db8-11ea-97e5-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.785 Update Package Version: 1.0.18112 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236001 Threats Detected: 19 Threats Quarantined: 19 Time Elapsed: 6 min, 36 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.TheCookingClub, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|gpaghkhgcphifedcphoomdcjidnfhpjb, Quarantined, 435, 750351, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 6 PUP.Optional.TheCookingClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaghkhgcphifedcphoomdcjidnfhpjb\3.0.3_0\images\icons, Quarantined, 435, 750351, , , , PUP.Optional.TheCookingClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaghkhgcphifedcphoomdcjidnfhpjb\3.0.3_0\_metadata, Quarantined, 435, 750351, , , , PUP.Optional.TheCookingClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaghkhgcphifedcphoomdcjidnfhpjb\3.0.3_0\scripts, Quarantined, 435, 750351, , , , PUP.Optional.TheCookingClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaghkhgcphifedcphoomdcjidnfhpjb\3.0.3_0\images, Quarantined, 435, 750351, , , , PUP.Optional.TheCookingClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaghkhgcphifedcphoomdcjidnfhpjb\3.0.3_0, Quarantined, 435, 750351, , , , PUP.Optional.TheCookingClub, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GPAGHKHGCPHIFEDCPHOOMDCJIDNFHPJB, Quarantined, 435, 750351, 1.0.18112, , ame, File: 12 PUP.Optional.TheCookingClub, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 435, 750351, , , , PUP.Optional.TheCookingClub, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 435, 750351, , , , PUP.Optional.TheCookingClub, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GPAGHKHGCPHIFEDCPHOOMDCJIDNFHPJB\3.0.3_0\MANIFEST.JSON, Quarantined, 435, 750351, 1.0.18112, , ame, PUP.Optional.TheCookingClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaghkhgcphifedcphoomdcjidnfhpjb\3.0.3_0\images\icons\128x128.png, Quarantined, 435, 750351, , , , PUP.Optional.TheCookingClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaghkhgcphifedcphoomdcjidnfhpjb\3.0.3_0\images\icons\16x16.png, Quarantined, 435, 750351, , , , PUP.Optional.TheCookingClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaghkhgcphifedcphoomdcjidnfhpjb\3.0.3_0\images\icons\64x64.png, Quarantined, 435, 750351, , , , PUP.Optional.TheCookingClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaghkhgcphifedcphoomdcjidnfhpjb\3.0.3_0\scripts\background.js, Quarantined, 435, 750351, , , , PUP.Optional.TheCookingClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaghkhgcphifedcphoomdcjidnfhpjb\3.0.3_0\scripts\sitecontent.js, Quarantined, 435, 750351, , , , PUP.Optional.TheCookingClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaghkhgcphifedcphoomdcjidnfhpjb\3.0.3_0\_metadata\computed_hashes.json, Quarantined, 435, 750351, , , , PUP.Optional.TheCookingClub, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaghkhgcphifedcphoomdcjidnfhpjb\3.0.3_0\_metadata\verified_contents.json, Quarantined, 435, 750351, , , , PUP.Optional.TheCookingClub, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 435, 750349, 1.0.18112, , ame, PUP.Optional.TheCookingClub, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 435, 750349, 1.0.18112, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  23. What is Security Reviver? The Malwarebytes research team has determined that Security Reviver is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems. More information can be found on our Malwarebytes Labs blog. How do I know if I am infected with Security Reviver? This is how the main screen of the system optimizer looks: You will find these icons in your taskbar, your startmenu, and on your desktop: and see these warnings during install: and this type of screens during "operations": You may see this entry in your list of installed programs: and these tasks in your list of Scheduled Tasks: How did Security Reviver get on my computer? These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website: How do I remove Security Reviver? Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Security Reviver? No, Malwarebytes removes Security Reviver completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this system optimizer. As you can see below the full version of Malwarebytes would have protected you against the Security Reviver installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for experts You may see these entries in FRST logs: (Corel Corporation -> Corel Corporation) C:\Program Files (x86)\Security Reviver\SecRev.exe Task: {2E1D2ED2-7C7B-4B2F-9BAA-04BB6EA2FEE2} - System32\Tasks\sr_notifier_executor => C:\Program Files (x86)\Security Reviver\notifier.exe [1873432 2020-01-09] (Corel Corporation -> Corel Corporation) Task: {C69819AC-6DEE-4FCE-AF8C-E525EDB6CAFB} - System32\Tasks\Security Reviver_startup => C:\Program Files (x86)\Security Reviver\SecRev.exe [7627288 2020-01-09] (Corel Corporation -> Corel Corporation) C:\Users\{username}\AppData\Local\ReviverSoft C:\Windows\system32\Tasks\sr_notifier_executor C:\Windows\system32\Tasks\Security Reviver_startup C:\Users\Public\Desktop\Security Reviver.lnk C:\ProgramData\Desktop\Security Reviver.lnk C:\Users\{username}\AppData\Roaming\ReviverSoft C:\ProgramData\ReviverSoft C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Security Reviver C:\Program Files (x86)\Security Reviver (Corel Corporation) C:\Windows\system32\secrevnative64.exe (Security Reviver ) C:\Users\{username}\Desktop\SecurityReviverSetup.exe Security Reviver (HKLM-x32\...\00212D92-C5D8-4ff4-AE50-B20F0F85C40A_ReviverSoft~2C1D94A4_is1) (Version: 2.1.1000.26600 - Security Reviver) <==== ATTENTION Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\Security Reviver Adds the file AppManager.exe"="1/9/2020 3:36 PM, 484376 bytes, A Adds the file AppResource.dll"="1/9/2020 3:36 PM, 13068824 bytes, A Adds the file categories.ini"="6/12/2017 1:15 PM, 42820 bytes, A Adds the file Chinese_asp_ZH-CN.ini"="12/19/2018 2:13 PM, 54406 bytes, A Adds the file danish_asp_DA.ini"="12/19/2018 2:13 PM, 96598 bytes, A Adds the file dutch_asp_NL.ini"="12/19/2018 2:13 PM, 96826 bytes, A Adds the file eng_asp_en.ini"="1/3/2020 10:32 AM, 52795 bytes, A Adds the file Finnish_asp_FI.ini"="12/19/2018 2:14 PM, 96608 bytes, A Adds the file french_asp_FR.ini"="12/19/2018 2:14 PM, 107768 bytes, A Adds the file german_asp_DE.ini"="12/19/2018 2:14 PM, 106344 bytes, A Adds the file helper.dll"="1/9/2020 3:36 PM, 2322968 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="1/9/2020 3:36 PM, 55320 bytes, A Adds the file italian_asp_IT.ini"="12/19/2018 2:14 PM, 101580 bytes, A Adds the file japanese_asp_JA.ini"="12/19/2018 1:16 PM, 66162 bytes, A Adds the file lci.lci"="1/22/2020 8:38 AM, 675 bytes, H Adds the file loading_withWhiteBG.avi"="6/12/2017 1:15 PM, 103936 bytes, A Adds the file Microsoft.Win32.TaskScheduler.DLL"="1/9/2020 3:36 PM, 121368 bytes, A Adds the file norwegian_asp_NO.ini"="12/19/2018 1:16 PM, 92240 bytes, A Adds the file notifier.exe"="1/9/2020 3:36 PM, 1873432 bytes, A Adds the file portuguese_asp_PT-BR.ini"="12/19/2018 2:15 PM, 98598 bytes, A Adds the file russian_asp_ru.ini"="12/19/2018 1:17 PM, 98740 bytes, A Adds the file scandll.dll"="1/9/2020 3:36 PM, 66584 bytes, A Adds the file SecRev.exe"="1/9/2020 3:36 PM, 7627288 bytes, A Adds the file SecRev.exe.config"="1/3/2020 2:46 PM, 6466 bytes, A Adds the file spanish_asp_ES.ini"="12/19/2018 1:17 PM, 103814 bytes, A Adds the file sr.ico"="6/12/2017 1:15 PM, 17542 bytes, A Adds the file swedish_asp_SV.ini"="12/19/2018 1:17 PM, 93652 bytes, A Adds the file System.Core.dll"="1/9/2020 3:36 PM, 673816 bytes, A Adds the file System.Data.SQLite.dll"="1/9/2020 3:36 PM, 892440 bytes, A Adds the file tray.exe"="1/9/2020 3:36 PM, 2041368 bytes, A Adds the file unins000.dat"="1/22/2020 8:38 AM, 95695 bytes, A Adds the file unins000.exe"="1/22/2020 8:38 AM, 1198616 bytes, A Adds the file unins000.msg"="1/22/2020 8:38 AM, 22701 bytes, A Adds the file unrar.dll"="1/9/2020 3:36 PM, 174616 bytes, A Adds the file Xceed.Compression.dll"="1/9/2020 3:36 PM, 108568 bytes, A Adds the file Xceed.Compression.Formats.dll"="1/9/2020 3:36 PM, 71704 bytes, A Adds the file Xceed.FileSystem.dll"="1/9/2020 3:36 PM, 129048 bytes, A Adds the file Xceed.Zip.dll"="1/9/2020 3:36 PM, 202776 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Security Reviver Adds the file Register Security Reviver.lnk"="1/22/2020 8:38 AM, 1095 bytes, A Adds the file Security Reviver.lnk"="1/22/2020 8:38 AM, 1069 bytes, A Adds the file Uninstall Security Reviver.lnk"="1/22/2020 8:38 AM, 1081 bytes, A Adds the folder C:\ProgramData\ReviverSoft\Security Reviver Adds the file AddonSafelist"="6/12/2017 1:15 PM, 13312 bytes, A Adds the file log.xslt"="6/12/2017 1:15 PM, 24753 bytes, A Adds the folder C:\ProgramData\ReviverSoft\Security Reviver\signatures Adds the file completedatabase.db"="1/22/2020 8:45 AM, 209821696 bytes, A Adds the file Cookies.bin"="1/22/2020 8:45 AM, 233928 bytes, A Adds the file DigSign.bin"="1/22/2020 8:45 AM, 132216 bytes, A Adds the file FilePaths.bin"="1/22/2020 8:45 AM, 5838576 bytes, A Adds the file FileSignature.bin"="1/22/2020 8:45 AM, 26693928 bytes, A Adds the file Folders.bin"="1/22/2020 8:45 AM, 1689184 bytes, A Adds the file Md5.bin"="1/22/2020 8:45 AM, 63720808 bytes, A Adds the file Registry.bin"="1/22/2020 8:45 AM, 39185360 bytes, A Adds the file SetupSign.bin"="1/22/2020 8:45 AM, 13472 bytes, A Adds the file StrSetupSign.bin"="1/22/2020 8:45 AM, 1792 bytes, A Adds the folder C:\ProgramData\ReviverSoft\Security Reviver\updates Adds the file 3262completedatabase.zip"="1/22/2020 8:40 AM, 36169813 bytes, A Adds the file 4025mupdate.zip"="1/22/2020 8:44 AM, 57688093 bytes, A Adds the file 4026update.zip"="1/22/2020 8:44 AM, 128602 bytes, A Adds the folder C:\Users\{username}\AppData\Local\ReviverSoft\Security Reviver Adds the file ScanEngineErrorLog.txt"="1/22/2020 8:48 AM, 6083 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\ReviverSoft\Security Reviver Adds the file ASPLog.txt"="1/22/2020 8:50 AM, 5553 bytes, A Adds the file QDetail.db"="1/22/2020 8:38 AM, 4096 bytes, A Adds the file Settings.db"="1/22/2020 8:48 AM, 12288 bytes, A Adds the file Update.ini"="1/22/2020 8:39 AM, 2356 bytes, A Adds the file uuid.txt"="1/22/2020 8:38 AM, 35 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\ReviverSoft\Security Reviver\Logs Adds the file log_22-01-20_08-48-21.xml"="1/22/2020 8:48 AM, 42979 bytes, A Adds the file SMLog.xml"="1/22/2020 8:48 AM, 1550 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file Security Reviver.lnk"="1/22/2020 8:38 AM, 1051 bytes, A In the existing folder C:\Windows\System32 Adds the file secrevnative64.exe"="1/9/2020 3:36 PM, 27672 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Security Reviver_startup"="1/22/2020 8:38 AM, 3068 bytes, A Adds the file sr_notifier_executor"="1/22/2020 8:38 AM, 3602 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\00212D92-C5D8-4ff4-AE50-B20F0F85C40A_ReviverSoft~2C1D94A4_is1] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\Security Reviver\SecRev.exe" "DisplayName"="REG_SZ", "Security Reviver" "DisplayVersion"="REG_SZ", "2.1.1000.26600" "EstimatedSize"="REG_DWORD", 31851 "HelpLink"="REG_SZ", "https://www.reviversoft.com/security-reviver/" "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\Security Reviver" "Inno Setup: Icon Group"="REG_SZ", "Security Reviver" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.9 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20200122" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\Security Reviver\" "MajorVersion"="REG_DWORD", 2 "MinorVersion"="REG_DWORD", 1 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Security Reviver" "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\Security Reviver\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\Security Reviver\unins000.exe"" "URLInfoAbout"="REG_SZ", "https://www.reviversoft.com/security-reviver/" "VersionMajor"="REG_DWORD", 2 "VersionMinor"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ReviverSoft\Params] "affiliateid"="REG_SZ", "" "ASPInstalledPath"="REG_SZ", "C:\Program Files (x86)\Security Reviver" "TELNO"="REG_SZ", "" "utm_campaign"="REG_SZ", "default" "utm_medium"="REG_SZ", "newbuild" "utm_source"="REG_SZ", "reviversoft" "x-at"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ReviverSoft\Security Reviver] "affiliateid"="REG_SZ", "" "afterInstallUrl"="REG_SZ", "https://goto.reviversoft.com/action/?product=SR&LinkType=Install&BuildID=0&t=" "buildid"="REG_SZ", "0" "BuyNowURL"="REG_SZ", "https://goto.reviversoft.com/action/?product=SR&LinkType=Purchase&BuildID=0&t=" "BuyNowURLADU"="REG_SZ", "" "BuyNowURLASP"="REG_SZ", "" "BuyNowURLPB"="REG_SZ", "" "BuyNowURLRCP"="REG_SZ", "" "cmd_t"="REG_SZ", "" "Expired"="REG_DWORD", 0 "InstalledPath"="REG_SZ", "C:\Program Files (x86)\Security Reviver" "isphone"="REG_SZ", "0" "IsScanOptional"="REG_DWORD", 1 "issilent"="REG_DWORD", 1 "MaxFixLimit"="REG_DWORD", 0 "REGVER"="REG_DWORD", 0 "REGVER-UNINSTALL"="REG_DWORD", 0 "RenewNowURL"="REG_SZ", "https://goto.reviversoft.com/action/?product=SR&LinkType=Renew&BuildID=0&t=" "RenewNowURLADU"="REG_SZ", "" "RenewNowURLASP"="REG_SZ", "" "RenewNowURLPB"="REG_SZ", "" "RenewNowURLRCP"="REG_SZ", "" "showbc"="REG_DWORD", 1 "showfth"="REG_DWORD", 0 "showfthsetting"="REG_DWORD", 0 "showpb"="REG_DWORD", 0 "showsm"="REG_DWORD", 1 "SUPPORT_URL"="REG_SZ", "https://goto.reviversoft.com/action/?product=SR&LinkType=Support&BuildID=0&t=" "TELNO"="REG_SZ", "" "TELNOFR"="REG_SZ", "" "uid"="REG_SZ", "72205a28-a34819b8-a4bb0795-f972a54c" "utm_campaign"="REG_SZ", "default" "utm_medium"="REG_SZ", "newbuild" "utm_source"="REG_SZ", "reviversoft" "x-at"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ReviverSoft\Security Reviver\LANG] "LangCode"="REG_SZ", "en" "LangID"="REG_DWORD", 0 [HKEY_CURRENT_USER\Software\ReviverSoft\params] "ASPInstalledPath"="REG_SZ", "C:\Program Files (x86)\Security Reviver" [HKEY_CURRENT_USER\Software\ReviverSoft\Security Reviver] "affiliateid"="REG_SZ", "" "buildid"="REG_SZ", "0" "cmd_t"="REG_SZ", "" "CurrentScanTime"="REG_BINARY, ........ "FirstInstallDate"="REG_SZ", "22-01-2020" "InstalledPath"="REG_SZ", "C:\Program Files (x86)\Security Reviver" "StrLastErrorsFixed"="REG_SZ", "0" "StrLastScanResults"="REG_SZ", "56" "TELNO"="REG_SZ", "" "TELNOFR"="REG_SZ", "" "utm_campaign"="REG_SZ", "default" "utm_days"="REG_SZ", "0" "utm_medium"="REG_SZ", "newbuild" "utm_source"="REG_SZ", "reviversoft" "x-at"="REG_SZ", "" [HKEY_CURRENT_USER\Software\ReviverSoft\Security Reviver\2.1.1000.26600] [HKEY_CURRENT_USER\Software\ReviverSoft\Security Reviver\LANG] "LangCode"="REG_SZ", "en" "LangID"="REG_DWORD", 0 Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/22/20 Scan Time: 9:00 AM Log File: 46fe135a-3ced-11ea-b033-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.785 Update Package Version: 1.0.18084 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236070 Threats Detected: 96 Threats Quarantined: 96 Time Elapsed: 31 min, 15 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\SecRev.exe, Quarantined, 1521, 183639, , , , Module: 10 PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\SecRev.exe, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\helper.dll, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\Interop.IWshRuntimeLibrary.dll, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\Microsoft.Win32.TaskScheduler.DLL, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\scandll.dll, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\System.Data.SQLite.dll, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\unrar.dll, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\Xceed.Compression.dll, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\Xceed.FileSystem.dll, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\Xceed.Zip.dll, Quarantined, 1521, 183639, , , , Registry Key: 9 PUP.Optional.SecurityReviver, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\SECURITY REVIVER_STARTUP, Quarantined, 1521, 183641, , , , PUP.Optional.SecurityReviver, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{C69819AC-6DEE-4FCE-AF8C-E525EDB6CAFB}, Quarantined, 1521, 183641, , , , PUP.Optional.SecurityReviver, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{C69819AC-6DEE-4FCE-AF8C-E525EDB6CAFB}, Quarantined, 1521, 183641, , , , PUP.Optional.SecurityReviver, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\sr_notifier_executor, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{2E1D2ED2-7C7B-4B2F-9BAA-04BB6EA2FEE2}, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{2E1D2ED2-7C7B-4B2F-9BAA-04BB6EA2FEE2}, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\00212D92-C5D8-4ff4-AE50-B20F0F85C40A_ReviverSoft~2C1D94A4_is1, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, HKCU\SOFTWARE\REVIVERSOFT\Security Reviver, Quarantined, 1521, 259287, 1.0.18084, , ame, PUP.Optional.SecurityReviver, HKLM\SOFTWARE\WOW6432NODE\REVIVERSOFT\Security Reviver, Quarantined, 1521, 259289, 1.0.18084, , ame, Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 PUP.Optional.SecurityReviver, C:\ProgramData\ReviverSoft\Security Reviver\signatures, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\ProgramData\ReviverSoft\Security Reviver\updates, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\PROGRAMDATA\REVIVERSOFT\SECURITY REVIVER, Quarantined, 1521, 182114, 1.0.18084, , ame, PUP.Optional.SecurityReviver, C:\Users\{username}\AppData\Roaming\ReviverSoft\Security Reviver\Logs, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\USERS\{username}\APPDATA\ROAMING\REVIVERSOFT\SECURITY REVIVER, Quarantined, 1521, 182114, 1.0.18084, , ame, PUP.Optional.SecurityReviver, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SECURITY REVIVER, Quarantined, 1521, 182115, 1.0.18084, , ame, PUP.Optional.SecurityReviver, C:\USERS\{username}\APPDATA\LOCAL\REVIVERSOFT\SECURITY REVIVER, Quarantined, 1521, 502489, 1.0.18084, , ame, File: 69 PUP.Optional.SecurityReviver, C:\USERS\PUBLIC\DESKTOP\SECURITY REVIVER.LNK, Quarantined, 1521, 183638, 1.0.18084, , ame, PUP.Optional.SecurityReviver, C:\ProgramData\ReviverSoft\Security Reviver\signatures\completedatabase.db, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\ProgramData\ReviverSoft\Security Reviver\signatures\Cookies.bin, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\ProgramData\ReviverSoft\Security Reviver\signatures\DigSign.bin, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\ProgramData\ReviverSoft\Security Reviver\signatures\FilePaths.bin, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\ProgramData\ReviverSoft\Security Reviver\signatures\FileSignature.bin, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\ProgramData\ReviverSoft\Security Reviver\signatures\Folders.bin, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\ProgramData\ReviverSoft\Security Reviver\signatures\Md5.bin, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\ProgramData\ReviverSoft\Security Reviver\signatures\Registry.bin, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\ProgramData\ReviverSoft\Security Reviver\signatures\SetupSign.bin, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\ProgramData\ReviverSoft\Security Reviver\signatures\StrSetupSign.bin, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\ProgramData\ReviverSoft\Security Reviver\updates\3262completedatabase.zip, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\ProgramData\ReviverSoft\Security Reviver\updates\4025mupdate.zip, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\ProgramData\ReviverSoft\Security Reviver\updates\4026update.zip, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\ProgramData\ReviverSoft\Security Reviver\AddonSafelist, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\ProgramData\ReviverSoft\Security Reviver\log.xslt, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\WINDOWS\SYSTEM32\TASKS\SECURITY REVIVER_STARTUP, Quarantined, 1521, 183641, 1.0.18084, , ame, PUP.Optional.SecurityReviver, C:\Users\{username}\AppData\Roaming\ReviverSoft\Security Reviver\Logs\log_22-01-20_08-48-21.xml, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\Users\{username}\AppData\Roaming\ReviverSoft\Security Reviver\Logs\SMLog.xml, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\Users\{username}\AppData\Roaming\ReviverSoft\Security Reviver\ASPLog.txt, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\Users\{username}\AppData\Roaming\ReviverSoft\Security Reviver\QDetail.db, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\Users\{username}\AppData\Roaming\ReviverSoft\Security Reviver\Settings.db, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\Users\{username}\AppData\Roaming\ReviverSoft\Security Reviver\Update.ini, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\Users\{username}\AppData\Roaming\ReviverSoft\Security Reviver\uuid.txt, Quarantined, 1521, 182114, , , , PUP.Optional.SecurityReviver, C:\PROGRAM FILES (X86)\SECURITY REVIVER\unins000.dat, Quarantined, 1521, 183639, 1.0.18084, , ame, PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\SecRev.exe, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\AppManager.exe, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\AppResource.dll, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\categories.ini, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\Chinese_asp_ZH-CN.ini, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\danish_asp_DA.ini, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\dutch_asp_NL.ini, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\eng_asp_en.ini, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\Finnish_asp_FI.ini, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\french_asp_FR.ini, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\german_asp_DE.ini, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\helper.dll, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\Interop.IWshRuntimeLibrary.dll, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\italian_asp_IT.ini, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\japanese_asp_JA.ini, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\lci.lci, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\loading_withWhiteBG.avi, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\Microsoft.Win32.TaskScheduler.DLL, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\norwegian_asp_NO.ini, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\notifier.exe, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\portuguese_asp_PT-BR.ini, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\russian_asp_ru.ini, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\scandll.dll, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\SecRev.exe.config, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\spanish_asp_ES.ini, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\sr.ico, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\swedish_asp_SV.ini, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\System.Data.SQLite.dll, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\tray.exe, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\unins000.exe, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\unins000.msg, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\unrar.dll, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\Xceed.Compression.dll, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\Xceed.Compression.Formats.dll, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\Xceed.FileSystem.dll, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\Program Files (x86)\Security Reviver\Xceed.Zip.dll, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\Security Reviver.lnk, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\WINDOWS\SYSTEM32\TASKS\sr_notifier_executor, Quarantined, 1521, 183639, , , , PUP.Optional.SecurityReviver, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Security Reviver\Register Security Reviver.lnk, Quarantined, 1521, 182115, , , , PUP.Optional.SecurityReviver, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Security Reviver\Security Reviver.lnk, Quarantined, 1521, 182115, , , , PUP.Optional.SecurityReviver, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Security Reviver\Uninstall Security Reviver.lnk, Quarantined, 1521, 182115, , , , PUP.Optional.SecurityReviver, C:\Users\{username}\AppData\Local\ReviverSoft\Security Reviver\ScanEngineErrorLog.txt, Quarantined, 1521, 502489, , , , PUP.Optional.SecurityReviver, C:\WINDOWS\SYSTEM32\SECREVNATIVE64.EXE, Quarantined, 1521, 783064, 1.0.18084, , ame, PUP.Optional.SecurityReviver, C:\USERS\{username}\DESKTOP\SECURITYREVIVERSETUP.EXE, Quarantined, 1521, 338021, 1.0.18084, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  24. What is Gamez 4 Us Search? The Malwarebytes research team has determined that Gamez 4 Us Search is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This particular one is a search hijacker and uses web push notifications. How do I know if my computer is affected by Gamez 4 Us Search? You may see this entry in your list of installed Chrome extensions: and these warnings during install: You will see this icon in your Chrome menu-bar: and these changed settings: How did Gamez 4 Us Search get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore: after a redirect from their website: How do I remove Gamez 4 Us Search? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Gamez 4 Us Search? No, Malwarebytes removes Gamez 4 Us Search completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes, as well as Browser Guard, would have protected you against the Gamez 4 Us Search hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for experts Possible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.gamez4us.com/?q={searchTerms}&publisher=fctry_gamez4us&barcodeid=531200000000000 CHR DefaultSearchKeyword: Default -> Gamez4us CHR DefaultSuggestURL: Default -> hxxps://api.gamez4us.com/suggest/get?q={searchTerms} CHR Notifications: Default -> hxxps://install.gamez4us.com CHR Extension: (Gamez4us) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fojaflpemffikbpfpabbmfnkdoadcbkm [2020-01-21] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fojaflpemffikbpfpabbmfnkdoadcbkm\3.0.3_0 Adds the file manifest.json"="1/21/2020 9:10 AM, 2054 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fojaflpemffikbpfpabbmfnkdoadcbkm\3.0.3_0\_metadata Adds the file computed_hashes.json"="1/21/2020 9:10 AM, 6088 bytes, A Adds the file verified_contents.json"="11/12/2019 12:48 PM, 1921 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fojaflpemffikbpfpabbmfnkdoadcbkm\3.0.3_0\images\icons Adds the file 128x128.png"="1/21/2020 9:10 AM, 9460 bytes, A Adds the file 16x16.png"="1/21/2020 9:10 AM, 631 bytes, A Adds the file 64x64.png"="1/21/2020 9:10 AM, 3841 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fojaflpemffikbpfpabbmfnkdoadcbkm\3.0.3_0\scripts Adds the file background.js"="11/12/2019 12:48 PM, 511565 bytes, A Adds the file sitecontent.js"="11/12/2019 12:48 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fojaflpemffikbpfpabbmfnkdoadcbkm Adds the file Gamez 4 Us Search.ico"="1/21/2020 9:10 AM, 197115 bytes, A Adds the file Gamez 4 Us Search.ico.md5"="1/21/2020 9:10 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "fojaflpemffikbpfpabbmfnkdoadcbkm"="REG_SZ", "B2F1247B2AE8E24F60B8B38297B7E7C13EF57344DDF0EF1C9806C2EA1C616A1A" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/21/20 Scan Time: 9:22 AM Log File: 2b3fcb7a-3c27-11ea-a91c-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.785 Update Package Version: 1.0.18036 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235957 Threats Detected: 17 Threats Quarantined: 17 Time Elapsed: 22 min, 33 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.Gamez4Us, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|fojaflpemffikbpfpabbmfnkdoadcbkm, Quarantined, 15044, 519677, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 6 PUP.Optional.Gamez4Us, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fojaflpemffikbpfpabbmfnkdoadcbkm\3.0.3_0\images\icons, Quarantined, 15044, 519677, , , , PUP.Optional.Gamez4Us, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fojaflpemffikbpfpabbmfnkdoadcbkm\3.0.3_0\_metadata, Quarantined, 15044, 519677, , , , PUP.Optional.Gamez4Us, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fojaflpemffikbpfpabbmfnkdoadcbkm\3.0.3_0\scripts, Quarantined, 15044, 519677, , , , PUP.Optional.Gamez4Us, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fojaflpemffikbpfpabbmfnkdoadcbkm\3.0.3_0\images, Quarantined, 15044, 519677, , , , PUP.Optional.Gamez4Us, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fojaflpemffikbpfpabbmfnkdoadcbkm\3.0.3_0, Quarantined, 15044, 519677, , , , PUP.Optional.Gamez4Us, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FOJAFLPEMFFIKBPFPABBMFNKDOADCBKM, Quarantined, 15044, 519677, 1.0.18036, , ame, File: 10 PUP.Optional.Gamez4Us, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 15044, 519677, , , , PUP.Optional.Gamez4Us, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 15044, 519677, , , , PUP.Optional.Gamez4Us, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FOJAFLPEMFFIKBPFPABBMFNKDOADCBKM\3.0.3_0\MANIFEST.JSON, Quarantined, 15044, 519677, 1.0.18036, , ame, PUP.Optional.Gamez4Us, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fojaflpemffikbpfpabbmfnkdoadcbkm\3.0.3_0\images\icons\128x128.png, Quarantined, 15044, 519677, , , , PUP.Optional.Gamez4Us, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fojaflpemffikbpfpabbmfnkdoadcbkm\3.0.3_0\images\icons\16x16.png, Quarantined, 15044, 519677, , , , PUP.Optional.Gamez4Us, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fojaflpemffikbpfpabbmfnkdoadcbkm\3.0.3_0\images\icons\64x64.png, Quarantined, 15044, 519677, , , , PUP.Optional.Gamez4Us, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fojaflpemffikbpfpabbmfnkdoadcbkm\3.0.3_0\scripts\background.js, Quarantined, 15044, 519677, , , , PUP.Optional.Gamez4Us, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fojaflpemffikbpfpabbmfnkdoadcbkm\3.0.3_0\scripts\sitecontent.js, Quarantined, 15044, 519677, , , , PUP.Optional.Gamez4Us, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fojaflpemffikbpfpabbmfnkdoadcbkm\3.0.3_0\_metadata\computed_hashes.json, Quarantined, 15044, 519677, , , , PUP.Optional.Gamez4Us, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fojaflpemffikbpfpabbmfnkdoadcbkm\3.0.3_0\_metadata\verified_contents.json, Quarantined, 15044, 519677, , , , Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  25. What is Free Games by FunPopularGames?The Malwarebytes research team has determined that Free Games by FunPopularGames is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.Free Games by FunPopularGames is a member of the Mindspark/Ask family now known as IAC Applications.How do I know if my computer is affected by Free Games by FunPopularGames?You may see this browser extension:these warnings during install:and this new setting:You may see this entry in your list of installed software:and this new homepage/newtab in the affected browsers:How did Free Games by FunPopularGames get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website.and the Chrome extension was also available in the webstore:How do I remove Free Games by FunPopularGames?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Free Games by FunPopularGames? No, Malwarebytes' Anti-Malware removes Free Games by FunPopularGames completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Free Games by FunPopularGames hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and both Malwarebytes Premium as well as Browser Guard block traffic to their domains: Technical details for expertsPossible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://hp.myway.com/funpopulargames/ttab02/index.html?n={n1}&p2={p2}&ptb={ptb}&coid={coid} CHR NewTab: Default -> Active:"chrome-extension://nmdhldfcnebjfhkmgnelkbomklikmjbo/ntp1.html" CHR Extension: (Free Games by FunPopularGames) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo [2020-01-19] C:\Users\{username}\AppData\Local\Fun Popular GamesTooltab (Mindspark Interactive Network, Inc.) C:\Users\{username}\Desktop\FunPopularGames.exe Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Fun Popular GamesTooltab Adds the file TooltabExtension.dll"="11/27/2019 8:44 PM, 273008 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0 Adds the file manifest.json"="1/19/2020 1:41 PM, 2523 bytes, A Adds the file ntp1.html"="1/13/2020 5:44 PM, 1434 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_metadata Adds the file computed_hashes.json"="1/19/2020 1:41 PM, 5628 bytes, A Adds the file verified_contents.json"="1/13/2020 5:44 PM, 7160 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\config Adds the file config.json"="1/13/2020 5:44 PM, 1437 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\icons Adds the file icon128.png"="1/19/2020 1:41 PM, 13884 bytes, A Adds the file icon16.png"="1/13/2020 5:44 PM, 1659 bytes, A Adds the file icon19disabled.png"="1/13/2020 5:44 PM, 1805 bytes, A Adds the file icon19on.png"="1/19/2020 1:41 PM, 994 bytes, A Adds the file icon48.png"="1/19/2020 1:41 PM, 3662 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js Adds the file ajax.js"="1/13/2020 5:44 PM, 3263 bytes, A Adds the file babAPI.js"="1/13/2020 5:44 PM, 5703 bytes, A Adds the file babClickHandler.js"="1/13/2020 5:44 PM, 11589 bytes, A Adds the file babContentScript.js"="1/13/2020 5:44 PM, 3749 bytes, A Adds the file babContentScriptAPI.js"="1/13/2020 5:44 PM, 9842 bytes, A Adds the file background.js"="1/13/2020 5:44 PM, 18898 bytes, A Adds the file browserUtils.js"="1/13/2020 5:44 PM, 1892 bytes, A Adds the file chrome.js"="1/13/2020 5:44 PM, 146 bytes, A Adds the file contentScriptConnectionManager.js"="1/13/2020 5:44 PM, 22964 bytes, A Adds the file dateTimeUtils.js"="1/13/2020 5:44 PM, 1213 bytes, A Adds the file dlp.js"="1/13/2020 5:44 PM, 5783 bytes, A Adds the file dlpHelper.js"="1/13/2020 5:44 PM, 1835 bytes, A Adds the file extensionDetect.js"="1/13/2020 5:44 PM, 4354 bytes, A Adds the file index.js"="1/13/2020 5:44 PM, 49 bytes, A Adds the file localStorageContentScript.js"="1/13/2020 5:44 PM, 2236 bytes, A Adds the file logger.js"="1/13/2020 5:44 PM, 531 bytes, A Adds the file meta.js"="1/13/2020 5:44 PM, 1660 bytes, A Adds the file offerService.js"="1/13/2020 5:44 PM, 16953 bytes, A Adds the file pageUtils.js"="1/13/2020 5:44 PM, 2905 bytes, A Adds the file PartnerId.js"="1/13/2020 5:44 PM, 16402 bytes, A Adds the file polyfill.js"="1/13/2020 5:44 PM, 875 bytes, A Adds the file product.js"="1/13/2020 5:44 PM, 7830 bytes, A Adds the file remoteConfigLoader.js"="1/13/2020 5:44 PM, 5053 bytes, A Adds the file searchBoxFocusSetterEdge.js"="1/13/2020 5:44 PM, 1648 bytes, A Adds the file splashPageRedirectHandler.js"="1/13/2020 5:44 PM, 2821 bytes, A Adds the file storageUtils.js"="1/13/2020 5:44 PM, 1718 bytes, A Adds the file TemplateParser.js"="1/13/2020 5:44 PM, 3153 bytes, A Adds the file ul.js"="1/13/2020 5:44 PM, 3969 bytes, A Adds the file urlFragmentActions.js"="1/13/2020 5:44 PM, 2453 bytes, A Adds the file urlUtils.js"="1/13/2020 5:44 PM, 5906 bytes, A Adds the file util.js"="1/13/2020 5:44 PM, 2779 bytes, A Adds the file webtooltabAPI.js"="1/13/2020 5:44 PM, 9768 bytes, A Adds the file webTooltabAPIProxy.js"="1/13/2020 5:44 PM, 8765 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nmdhldfcnebjfhkmgnelkbomklikmjbo Adds the file 000003.log"="1/19/2020 1:41 PM, 4453 bytes, A Adds the file CURRENT"="1/19/2020 1:41 PM, 16 bytes, A Adds the file LOCK"="1/19/2020 1:41 PM, 0 bytes, A Adds the file LOG"="1/19/2020 1:41 PM, 184 bytes, A Adds the file MANIFEST-000001"="1/19/2020 1:41 PM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Fun Popular Games] "Start Page"="REG_SZ", "https://hp.myway.com/funpopulargames/ttab02/index.html?n={n1}&p2={p2}&ptb={ptb}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "https://@{downloadDomain}.dl.myway.com/uninstall.jhtml?c={p2}&ptb={ptb}" [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "nmdhldfcnebjfhkmgnelkbomklikmjbo"="REG_SZ", "3027DF1507C41D2C03FD49569E6B9E290E44AB40872B54DCEF9E2A9DC9E8A4C3" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "https://hp.myway.com/funpopulargames/ttab02/index.html?n={n1}&p2={p2}&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fun Popular GamesTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "Fun Popular Games Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\Fun Popular GamesTooltab\TooltabExtension.dll" U uninstall:Fun Popular Games" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/19/20 Scan Time: 2:02 PM Log File: faefb9b0-3abb-11ea-acf4-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.785 Update Package Version: 1.0.17944 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236180 Threats Detected: 87 Threats Quarantined: 87 Time Elapsed: 39 min, 11 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\Fun Popular GamesTooltab\TooltabExtension.dll, Quarantined, 1790, 356944, , , , Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Fun Popular GamesTooltab Uninstall Internet Explorer, Quarantined, 1790, 356944, , , , PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\Fun Popular Games, Quarantined, 1790, 444113, 1.0.17944, , ame, Registry Value: 4 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\Fun Popular Games|START PAGE, Quarantined, 1790, 444113, 1.0.17944, , ame, PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\Fun Popular Games|UNINSTALLSURVEYURL, Quarantined, 1790, 769449, 1.0.17944, , ame, PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Fun Popular GamesTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, 680, 352442, 1.0.17944, , ame, PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|nmdhldfcnebjfhkmgnelkbomklikmjbo, Quarantined, 1790, 443121, , , , Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, 680, 293497, 1.0.17944, , ame, Data Stream: 0 (No malicious items detected) Folder: 18 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\Fun Popular GamesTooltab, Quarantined, 1790, 356944, 1.0.17944, , ame, PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\nmdhldfcnebjfhkmgnelkbomklikmjbo, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\es_419, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\pt_BR, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\pt_PT, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\de, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\en, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\es, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\fr, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\it, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\ja, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_metadata, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\config, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\icons, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\NMDHLDFCNEBJFHKMGNELKBOMKLIKMJBO, Quarantined, 1790, 443121, 1.0.17944, , ame, File: 61 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\Fun Popular GamesTooltab\TooltabExtension.dll, Quarantined, 1790, 356944, 1.0.17944, , ame, PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nmdhldfcnebjfhkmgnelkbomklikmjbo\000003.log, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nmdhldfcnebjfhkmgnelkbomklikmjbo\CURRENT, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nmdhldfcnebjfhkmgnelkbomklikmjbo\LOCK, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nmdhldfcnebjfhkmgnelkbomklikmjbo\LOG, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nmdhldfcnebjfhkmgnelkbomklikmjbo\MANIFEST-000001, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\NMDHLDFCNEBJFHKMGNELKBOMKLIKMJBO\13.921.17.11176_0\MANIFEST.JSON, Quarantined, 1790, 443121, 1.0.17944, , ame, PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\config\config.json, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\icons\icon128.png, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\icons\icon16.png, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\icons\icon19disabled.png, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\icons\icon19on.png, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\icons\icon48.png, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\dlpHelper.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\ajax.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\babAPI.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\babClickHandler.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\babContentScript.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\babContentScriptAPI.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\background.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\browserUtils.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\chrome.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\contentScriptConnectionManager.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\dateTimeUtils.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\dlp.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\extensionDetect.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\index.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\localStorageContentScript.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\logger.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\meta.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\offerService.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\pageUtils.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\PartnerId.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\polyfill.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\product.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\remoteConfigLoader.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\searchBoxFocusSetterEdge.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\splashPageRedirectHandler.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\storageUtils.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\TemplateParser.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\ul.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\urlFragmentActions.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\urlUtils.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\util.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\webtooltabAPI.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\js\webTooltabAPIProxy.js, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\de\messages.json, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\en\messages.json, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\es\messages.json, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\es_419\messages.json, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\fr\messages.json, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\it\messages.json, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\ja\messages.json, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\pt_BR\messages.json, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_locales\pt_PT\messages.json, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_metadata\computed_hashes.json, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\_metadata\verified_contents.json, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmdhldfcnebjfhkmgnelkbomklikmjbo\13.921.17.11176_0\ntp1.html, Quarantined, 1790, 443121, , , , PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\FUNPOPULARGAMES.EXE, Quarantined, 680, 365288, 1.0.17944, , ame, Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.