Jump to content

Metallica

Staff
  • Content Count

    2,410
  • Joined

  • Last visited

Everything posted by Metallica

  1. What is MovieBox Default Search?The Malwarebytes research team has determined that MovieBox Default Search is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one is a search hijacker and uses web push notifications.How do I know if my computer is affected by MovieBox Default Search?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and these changed settings:How did MovieBox Default Search get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove MovieBox Default Search?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of MovieBox Default Search? No, Malwarebytes removes MovieBox Default Search completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the MovieBox Default Search hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.moviebox-online.com/?q={searchTerms}&publisher=movie-box&barcodeid=521920000000000 CHR DefaultSearchKeyword: Default -> MovieBox Search CHR DefaultSuggestURL: Default -> hxxps://api.moviebox-online.com/suggest/get?q={searchTerms} CHR Extension: (MovieBox Search) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh [2019-08-16] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0 Adds the file closer.js"="8/7/2018 11:31 AM, 15 bytes, A Adds the file manifest.json"="8/16/2019 8:59 AM, 2231 bytes, A Adds the file tab.html"="8/7/2018 11:31 AM, 165 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0\_metadata Adds the file computed_hashes.json"="8/16/2019 8:59 AM, 794 bytes, A Adds the file verified_contents.json"="4/10/2019 2:34 PM, 2253 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0\images\icons Adds the file 128x128.png"="8/16/2019 8:59 AM, 13201 bytes, A Adds the file 16x16.png"="8/16/2019 8:59 AM, 698 bytes, A Adds the file 32x32.png"="8/16/2019 8:59 AM, 1943 bytes, A Adds the file 64x64.png"="8/16/2019 8:59 AM, 5371 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0\scripts Adds the file background.js"="4/10/2019 2:40 PM, 31384 bytes, A Adds the file sitecontent.js"="8/7/2018 11:31 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_genhcdlnoedbdchadffldpoabfimgfgh Adds the file MovieBox Default Search.ico"="8/16/2019 8:59 AM, 199356 bytes, A Adds the file MovieBox Default Search.ico.md5"="8/16/2019 8:59 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "genhcdlnoedbdchadffldpoabfimgfgh"="REG_SZ", "542CDF404467B4047748BD3D31F7A536A3ACC9FF6CDF9F6BDA669E600101A454" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/16/19 Scan Time: 9:13 AM Log File: 5da85f36-bff5-11e9-b938-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.12037 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236317 Threats Detected: 22 Threats Quarantined: 22 Time Elapsed: 6 min, 8 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.MovieBox, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|genhcdlnoedbdchadffldpoabfimgfgh, Quarantined, [338], [672265],1.0.12037 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 6 PUP.Optional.MovieBox, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0\images\icons, Quarantined, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0\_metadata, Quarantined, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0\scripts, Quarantined, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0\images, Quarantined, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0, Quarantined, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GENHCDLNOEDBDCHADFFLDPOABFIMGFGH, Quarantined, [338], [672265],1.0.12037 File: 15 PUP.Optional.MovieBox, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GENHCDLNOEDBDCHADFFLDPOABFIMGFGH\2.1.1_0\MANIFEST.JSON, Quarantined, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0\images\icons\128x128.png, Quarantined, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0\images\icons\16x16.png, Quarantined, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0\images\icons\32x32.png, Quarantined, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0\images\icons\64x64.png, Quarantined, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0\scripts\background.js, Quarantined, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0\scripts\sitecontent.js, Quarantined, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0\_metadata\computed_hashes.json, Quarantined, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0\_metadata\verified_contents.json, Quarantined, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0\closer.js, Quarantined, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genhcdlnoedbdchadffldpoabfimgfgh\2.1.1_0\tab.html, Quarantined, [338], [672265],1.0.12037 PUP.Optional.MovieBox, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [338], [672264],1.0.12037 PUP.Optional.MovieBox, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [338], [672264],1.0.12037 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  2. What is MergeDocsNow?The Malwarebytes research team has determined that MergeDocsNow is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.MergeDocsNow is a member of the Mindspark/Ask family now known as IAC Applications.How do I know if my computer is affected by MergeDocsNow?You may see these browser extensions/add-ons:these warnings during install:You may see this entry in your list of installed software:and this new homepage in the affected browsers:How did MergeDocsNow get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website.How do I remove MergeDocsNow?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of MergeDocsNow? No, Malwarebytes' Anti-Malware removes MergeDocsNow completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the MergeDocsNow hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for expertsPossible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/mergedocsnow/ttab02/index.html?n={n1}&p2={p2}&ptb={ptb}&coid={coid} FF HomepageOverride: Mozilla\Firefox\Profiles\{profile}.default -> Enabled: _hxMembers_@free.mergedocsnow.com FF NewTabOverride: Mozilla\Firefox\Profiles\{profile}.default -> Enabled: _hxMembers_@free.mergedocsnow.com FF Extension: (MergeDocsNow) - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_hxMembers_@free.mergedocsnow.com.xpi [2019-08-15] [UpdateUrl:hxxps:\/\/updates.tb.ask.com\/updateXpi.json?id=230578682&version=8.914.15.59070&track=TTAB02&trackRevision=1&fromId=_hxMembers_%40free.mergedocsnow.com&isBridgeExtension=false] CHR NewTab: Default -> Active:"chrome-extension://picpadgnaiehfpanhlnlejeelgohjpid/ntp.html" CHR Extension: (MergeDocsNow) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid [2019-08-15] C:\Users\{username}\AppData\Local\MergeDocsNowTooltab MergeDocsNow Internet Explorer Homepage and New Tab (HKCU\...\MergeDocsNowTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0 Adds the file manifest.json"="8/15/2019 9:19 AM, 2639 bytes, A Adds the file ntp.html"="6/6/2019 6:15 PM, 1423 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\_locales\en Adds the file messages.json"="8/15/2019 9:19 AM, 199 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\_metadata Adds the file computed_hashes.json"="8/15/2019 9:19 AM, 5503 bytes, A Adds the file verified_contents.json"="6/6/2019 6:15 PM, 5999 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\config Adds the file config.json"="6/6/2019 6:15 PM, 1483 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\icons Adds the file icon128.png"="8/15/2019 9:19 AM, 11686 bytes, A Adds the file icon16.png"="6/6/2019 6:15 PM, 1466 bytes, A Adds the file icon19disabled.png"="6/6/2019 6:15 PM, 1441 bytes, A Adds the file icon19on.png"="8/15/2019 9:19 AM, 664 bytes, A Adds the file icon48.png"="8/15/2019 9:19 AM, 2844 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js Adds the file ajax.js"="6/6/2019 6:15 PM, 3263 bytes, A Adds the file babAPI.js"="6/6/2019 6:15 PM, 5703 bytes, A Adds the file babClickHandler.js"="6/6/2019 6:15 PM, 11430 bytes, A Adds the file babContentScript.js"="6/6/2019 6:15 PM, 3749 bytes, A Adds the file babContentScriptAPI.js"="6/6/2019 6:15 PM, 9842 bytes, A Adds the file background.js"="6/6/2019 6:15 PM, 18011 bytes, A Adds the file browserUtils.js"="6/6/2019 6:15 PM, 1536 bytes, A Adds the file chrome.js"="6/6/2019 6:15 PM, 146 bytes, A Adds the file contentScriptConnectionManager.js"="6/6/2019 6:15 PM, 22629 bytes, A Adds the file dateTimeUtils.js"="6/6/2019 6:15 PM, 1213 bytes, A Adds the file dlp.js"="6/6/2019 6:15 PM, 5783 bytes, A Adds the file dlpHelper.js"="6/6/2019 6:15 PM, 1835 bytes, A Adds the file extensionDetect.js"="6/6/2019 6:15 PM, 4354 bytes, A Adds the file index.js"="6/6/2019 6:15 PM, 49 bytes, A Adds the file localStorageContentScript.js"="6/6/2019 6:15 PM, 2236 bytes, A Adds the file logger.js"="6/6/2019 6:15 PM, 531 bytes, A Adds the file meta.js"="6/6/2019 6:15 PM, 1631 bytes, A Adds the file offerService.js"="6/6/2019 6:15 PM, 16953 bytes, A Adds the file pageUtils.js"="6/6/2019 6:15 PM, 3154 bytes, A Adds the file PartnerId.js"="6/6/2019 6:15 PM, 16402 bytes, A Adds the file polyfill.js"="6/6/2019 6:15 PM, 875 bytes, A Adds the file product.js"="6/6/2019 6:15 PM, 7837 bytes, A Adds the file remoteConfigLoader.js"="6/6/2019 6:15 PM, 5053 bytes, A Adds the file splashPageRedirectHandler.js"="6/6/2019 6:15 PM, 2821 bytes, A Adds the file storageUtils.js"="6/6/2019 6:15 PM, 1718 bytes, A Adds the file TemplateParser.js"="6/6/2019 6:15 PM, 3153 bytes, A Adds the file ul.js"="6/6/2019 6:15 PM, 3969 bytes, A Adds the file urlFragmentActions.js"="6/6/2019 6:15 PM, 2450 bytes, A Adds the file urlUtils.js"="6/6/2019 6:15 PM, 5906 bytes, A Adds the file util.js"="6/6/2019 6:15 PM, 2779 bytes, A Adds the file webtooltabAPI.js"="6/6/2019 6:15 PM, 9768 bytes, A Adds the file webTooltabAPIProxy.js"="6/6/2019 6:15 PM, 8765 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\picpadgnaiehfpanhlnlejeelgohjpid Adds the file 000003.log"="8/15/2019 9:19 AM, 4966 bytes, A Adds the file CURRENT"="8/15/2019 9:19 AM, 16 bytes, A Adds the file LOCK"="8/15/2019 9:19 AM, 0 bytes, A Adds the file LOG"="8/15/2019 9:19 AM, 185 bytes, A Adds the file MANIFEST-000001"="8/15/2019 9:19 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\MergeDocsNowTooltab Adds the file TooltabExtension.dll"="3/8/2019 10:49 PM, 266864 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _hxMembers_@free.mergedocsnow.com.xpi"="8/15/2019 9:21 AM, 87849 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "picpadgnaiehfpanhlnlejeelgohjpid"="REG_SZ", "79A10BF7C2918C860F265A98780A0B3C5645E90D1F333F2B48ACA7A38CA72A35" [HKEY_CURRENT_USER\Software\MergeDocsNow] "Start Page"="REG_SZ", "http://hp.myway.com/mergedocsnow/ttab02/index.html?n={n1}&p2={p2}&ptb={ptb}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "https://@{downloadDomain}.dl.myway.com/uninstall.jhtml?c={ptb}&ptb={p2}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://hp.myway.com/mergedocsnow/ttab02/index.html?n={n1}&p2={p2}&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\MergeDocsNowTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "MergeDocsNow Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\MergeDocsNowTooltab\TooltabExtension.dll" U uninstall:MergeDocsNow" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/15/19 Scan Time: 9:27 AM Log File: 34a0b98e-bf2e-11e9-8304-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.12017 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236478 Threats Detected: 70 Threats Quarantined: 70 Time Elapsed: 9 min, 6 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\MergeDocsNowTooltab\TooltabExtension.dll, Quarantined, [1768], [356944],1.0.12017 Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\MergeDocsNowTooltab Uninstall Internet Explorer, Quarantined, [1768], [356944],1.0.12017 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MergeDocsNow, Quarantined, [1768], [444113],1.0.12017 Registry Value: 3 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MergeDocsNow|START PAGE, Quarantined, [1768], [444113],1.0.12017 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\MergeDocsNowTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, [642], [352442],1.0.12017 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|picpadgnaiehfpanhlnlejeelgohjpid, Quarantined, [1768], [443121],1.0.12017 Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [642], [293497],1.0.12017 Data Stream: 0 (No malicious items detected) Folder: 10 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\MergeDocsNowTooltab, Quarantined, [1768], [356944],1.0.12017 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\picpadgnaiehfpanhlnlejeelgohjpid, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\_locales\en, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\_metadata, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\_locales, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\config, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\icons, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PICPADGNAIEHFPANHLNLEJEELGOHJPID, Quarantined, [1768], [443121],1.0.12017 File: 53 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\MergeDocsNowTooltab\TooltabExtension.dll, Quarantined, [1768], [356944],1.0.12017 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\_hxMembers_@free.mergedocsnow.com.xpi, Quarantined, [1768], [457930],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\picpadgnaiehfpanhlnlejeelgohjpid\000003.log, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\picpadgnaiehfpanhlnlejeelgohjpid\CURRENT, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\picpadgnaiehfpanhlnlejeelgohjpid\LOCK, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\picpadgnaiehfpanhlnlejeelgohjpid\LOG, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\picpadgnaiehfpanhlnlejeelgohjpid\MANIFEST-000001, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PICPADGNAIEHFPANHLNLEJEELGOHJPID\13.882.15.38113_0\MANIFEST.JSON, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\config\config.json, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\icons\icon128.png, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\icons\icon16.png, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\icons\icon19disabled.png, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\icons\icon19on.png, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\icons\icon48.png, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\localStorageContentScript.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\ajax.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\babAPI.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\babClickHandler.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\babContentScript.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\babContentScriptAPI.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\background.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\browserUtils.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\chrome.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\contentScriptConnectionManager.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\dateTimeUtils.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\dlp.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\dlpHelper.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\extensionDetect.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\index.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\logger.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\meta.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\offerService.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\pageUtils.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\PartnerId.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\polyfill.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\product.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\remoteConfigLoader.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\splashPageRedirectHandler.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\storageUtils.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\TemplateParser.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\ul.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\urlFragmentActions.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\urlUtils.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\util.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\webtooltabAPI.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\js\webTooltabAPIProxy.js, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\_locales\en\messages.json, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\_metadata\computed_hashes.json, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\_metadata\verified_contents.json, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\picpadgnaiehfpanhlnlejeelgohjpid\13.882.15.38113_0\ntp.html, Quarantined, [1768], [443121],1.0.12017 PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\MERGEDOCSNOW.EXE, Quarantined, [642], [365288],1.0.12017 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  3. What is PDFPros?The Malwarebytes research team has determined that PDFPros is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one is a search hijacker and uses web push notifications.How do I know if my computer is affected by PDFPros?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and these changed settings:How did PDFPros get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove PDFPros?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of PDFPros? No, Malwarebytes removes PDFPros completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the PDFPros hijacker. It would have blocked their website, giving you a chance to stop before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.pdfpros.com/?q={searchTerms}&publisher=pdfpros&barcodeid=544300000000000 CHR DefaultSearchKeyword: Default -> PDFPros CHR DefaultSuggestURL: Default -> hxxps://api.pdfpros.com/suggest/get?q={searchTerms} CHR Extension: (PDFPros) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg [2019-08-14] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0 Adds the file closer.js"="9/13/2017 11:07 AM, 15 bytes, A Adds the file manifest.json"="8/14/2019 9:08 AM, 2242 bytes, A Adds the file popup.html"="12/31/2018 1:38 PM, 1141 bytes, A Adds the file tab.html"="9/13/2017 11:07 AM, 165 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\_metadata Adds the file computed_hashes.json"="8/14/2019 9:08 AM, 2561 bytes, A Adds the file verified_contents.json"="1/15/2019 8:07 AM, 2947 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\images Adds the file how-1.png"="12/31/2018 1:38 PM, 2862 bytes, A Adds the file how-2.png"="12/31/2018 1:38 PM, 3247 bytes, A Adds the file logo-small.png"="12/31/2018 1:38 PM, 1109 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\images\icons Adds the file 128x128.png"="8/14/2019 9:08 AM, 1621 bytes, A Adds the file 16x16.png"="8/14/2019 9:08 AM, 527 bytes, A Adds the file 64x64.png"="8/14/2019 9:08 AM, 1281 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\scripts Adds the file background.js"="1/17/2019 2:22 PM, 31608 bytes, A Adds the file jquery-3.3.1.min.js"="12/31/2018 1:38 PM, 86927 bytes, A Adds the file popup.js"="12/31/2018 1:38 PM, 568 bytes, A Adds the file sitecontent.js"="12/31/2018 1:38 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\styles Adds the file popup.css"="12/31/2018 1:38 PM, 1270 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_dfhbfihajlehdolghpaempnfihmeopeg Adds the file PDFPros.ico"="8/14/2019 9:08 AM, 159726 bytes, A Adds the file PDFPros.ico.md5"="8/14/2019 9:08 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "dfhbfihajlehdolghpaempnfihmeopeg"="REG_SZ", "BB9973E71C0982B74DBE741630C725A42E874243EFAF7F166EF9F2C786D7522E" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/14/19 Scan Time: 9:18 AM Log File: a5ca0f46-be63-11e9-9c1a-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.11999 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236355 Threats Detected: 29 Threats Quarantined: 29 Time Elapsed: 5 min, 48 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.PDFPros, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|dfhbfihajlehdolghpaempnfihmeopeg, Quarantined, [348], [716810],1.0.11999 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\images\icons, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\_metadata, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\scripts, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\images, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\styles, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DFHBFIHAJLEHDOLGHPAEMPNFIHMEOPEG, Quarantined, [348], [716810],1.0.11999 File: 21 PUP.Optional.PDFPros, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DFHBFIHAJLEHDOLGHPAEMPNFIHMEOPEG\2.1.0_0\MANIFEST.JSON, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\images\icons\128x128.png, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\images\icons\16x16.png, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\images\icons\64x64.png, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\images\how-1.png, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\images\how-2.png, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\images\logo-small.png, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\scripts\background.js, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\scripts\jquery-3.3.1.min.js, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\scripts\popup.js, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\scripts\sitecontent.js, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\styles\popup.css, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\_metadata\computed_hashes.json, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\_metadata\verified_contents.json, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\closer.js, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\popup.html, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfhbfihajlehdolghpaempnfihmeopeg\2.1.0_0\tab.html, Quarantined, [348], [716810],1.0.11999 PUP.Optional.PDFPros, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [348], [716808],1.0.11999 PUP.Optional.PDFPros, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [348], [716808],1.0.11999 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  4. What is SPP App?The Malwarebytes research team has determined that SPP App is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one sets itself as the default search provider and hijacks searches on major search sites.How do I know if my computer is affected by SPP App?You may see this entry in your list of installed Chrome extensions:these warnings during install:and this changed setting:How did SPP App get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove SPP App?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of SPP App? No, Malwarebytes removes SPP App completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the SPP App hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://searchprivacyplus.com/results.php?p=9040&v=400&q={searchTerms}&source=default CHR DefaultSearchKeyword: Default -> Secure CHR DefaultSuggestURL: Default -> hxxps://searchprivacyplus.com/gjson.php?q={searchTerms} CHR Extension: (Secure) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcfgnljnhnpgofnhgifaanbjligjlpm [2019-08-13] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcfgnljnhnpgofnhgifaanbjligjlpm\2.2.2.1_0 Adds the file background.js"="8/9/2019 10:53 PM, 9104 bytes, A Adds the file manifest.json"="8/13/2019 9:07 AM, 1969 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcfgnljnhnpgofnhgifaanbjligjlpm\2.2.2.1_0\_metadata Adds the file computed_hashes.json"="8/13/2019 9:07 AM, 451 bytes, A Adds the file verified_contents.json"="8/9/2019 10:59 PM, 1651 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcfgnljnhnpgofnhgifaanbjligjlpm\2.2.2.1_0\icons Adds the file icon128.png"="8/13/2019 9:07 AM, 2188 bytes, A Adds the file icon48.png"="8/13/2019 9:07 AM, 253 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jfcfgnljnhnpgofnhgifaanbjligjlpm Adds the file 000003.log"="8/13/2019 9:10 AM, 366 bytes, A Adds the file CURRENT"="8/13/2019 9:07 AM, 16 bytes, A Adds the file LOCK"="8/13/2019 9:07 AM, 0 bytes, A Adds the file LOG"="8/13/2019 9:07 AM, 184 bytes, A Adds the file MANIFEST-000001"="8/13/2019 9:07 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_jfcfgnljnhnpgofnhgifaanbjligjlpm Adds the file SPP App.ico"="8/13/2019 9:08 AM, 162813 bytes, A Adds the file SPP App.ico.md5"="8/13/2019 9:08 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "jfcfgnljnhnpgofnhgifaanbjligjlpm"="REG_SZ", "19564D7F704EB0C9FC27BE120247CDE951C365082614BF2A8B3F16752DC67AD6" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/13/19 Scan Time: 9:22 AM Log File: 2a57ba84-bd9b-11e9-b19a-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.11981 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236682 Threats Detected: 21 Threats Quarantined: 21 Time Elapsed: 7 min, 34 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Adware.SearchEngineHijack, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|jfcfgnljnhnpgofnhgifaanbjligjlpm, Quarantined, [374], [460702],1.0.11981 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 5 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\jfcfgnljnhnpgofnhgifaanbjligjlpm, Quarantined, [374], [460702],1.0.11981 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcfgnljnhnpgofnhgifaanbjligjlpm\2.2.2.1_0\_metadata, Quarantined, [374], [460702],1.0.11981 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcfgnljnhnpgofnhgifaanbjligjlpm\2.2.2.1_0\icons, Quarantined, [374], [460702],1.0.11981 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcfgnljnhnpgofnhgifaanbjligjlpm\2.2.2.1_0, Quarantined, [374], [460702],1.0.11981 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JFCFGNLJNHNPGOFNHGIFAANBJLIGJLPM, Quarantined, [374], [460702],1.0.11981 File: 15 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jfcfgnljnhnpgofnhgifaanbjligjlpm\000003.log, Quarantined, [374], [460702],1.0.11981 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jfcfgnljnhnpgofnhgifaanbjligjlpm\CURRENT, Quarantined, [374], [460702],1.0.11981 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jfcfgnljnhnpgofnhgifaanbjligjlpm\LOCK, Quarantined, [374], [460702],1.0.11981 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jfcfgnljnhnpgofnhgifaanbjligjlpm\LOG, Quarantined, [374], [460702],1.0.11981 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jfcfgnljnhnpgofnhgifaanbjligjlpm\MANIFEST-000001, Quarantined, [374], [460702],1.0.11981 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [374], [460702],1.0.11981 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [374], [460702],1.0.11981 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JFCFGNLJNHNPGOFNHGIFAANBJLIGJLPM\2.2.2.1_0\MANIFEST.JSON, Quarantined, [374], [460702],1.0.11981 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcfgnljnhnpgofnhgifaanbjligjlpm\2.2.2.1_0\icons\icon128.png, Quarantined, [374], [460702],1.0.11981 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcfgnljnhnpgofnhgifaanbjligjlpm\2.2.2.1_0\icons\icon48.png, Quarantined, [374], [460702],1.0.11981 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcfgnljnhnpgofnhgifaanbjligjlpm\2.2.2.1_0\_metadata\computed_hashes.json, Quarantined, [374], [460702],1.0.11981 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcfgnljnhnpgofnhgifaanbjligjlpm\2.2.2.1_0\_metadata\verified_contents.json, Quarantined, [374], [460702],1.0.11981 Adware.SearchEngineHijack, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfcfgnljnhnpgofnhgifaanbjligjlpm\2.2.2.1_0\background.js, Quarantined, [374], [460702],1.0.11981 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [374], [570730],1.0.11981 Adware.SearchEngineHijack, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [374], [570730],1.0.11981 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  5. What is Xtron Cleanup Pro?The Malwarebytes research team has determined that Xtron Cleanup Pro is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with Xtron Cleanup Pro?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see these warnings during install:and these screens during "operations":You may see this entry in your list of installed programs:and this task in your list of Scheduled Tasks:How did Xtron Cleanup Pro get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website.How do I remove Xtron Cleanup Pro?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Xtron Cleanup Pro? No, Malwarebytes removes Xtron Cleanup Pro completely. This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the Xtron Cleanup Pro installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: (NETCOM PC Utilities -> ) C:\Program Files\Xtron-Cleanup-Pro_{username}\rgcl.exe Task: {111B3651-C6B0-45C9-96B7-E0D081F3ABF1} - System32\Tasks\Xtron-Cleanup-Pro_Logon => C:\Program Files\Xtron-Cleanup-Pro_{username}\rgcl.exe [2037936 2019-07-29] (NETCOM PC Utilities -> ) C:\Users\{username}\AppData\Roaming\Xtron-Cleanup-Pro_{username} C:\Windows\System32\Tasks\Xtron-Cleanup-Pro_Logon C:\Users\Public\Desktop\Xtron-Cleanup-Pro.lnk C:\ProgramData\Xtron-Cleanup-Pro_{username} C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Xtron-Cleanup-Pro_{username} C:\Program Files\Xtron-Cleanup-Pro_{username} Xtron-Cleanup-Pro (HKLM\...\{E2C70A85-8F78-4434-B5D7-3EB8102FB5ED}_is1) (Version: 1.0.0.0 - ) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\Xtron-Cleanup-Pro_{username} Adds the file application.ico"="6/10/2019 11:42 AM, 185552 bytes, A Adds the file danish_iss.ini"="5/29/2019 3:54 PM, 2402 bytes, A Adds the file Dutch_iss.ini"="5/29/2019 3:54 PM, 2600 bytes, A Adds the file english_iss.ini"="5/29/2019 3:54 PM, 2256 bytes, A Adds the file finish_iss.ini"="5/29/2019 3:54 PM, 2368 bytes, A Adds the file French_iss.ini"="5/29/2019 3:54 PM, 2792 bytes, A Adds the file german_iss.ini"="5/29/2019 3:54 PM, 2658 bytes, A Adds the file HtmlRenderer.dll"="7/29/2019 4:50 PM, 235184 bytes, A Adds the file HtmlRenderer.WinForms.dll"="7/29/2019 4:50 PM, 73904 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="7/29/2019 4:50 PM, 62640 bytes, A Adds the file Interop.SHDocVw.dll"="7/29/2019 4:50 PM, 177328 bytes, A Adds the file italian_iss.ini"="5/29/2019 3:54 PM, 2532 bytes, A Adds the file japanese_iss.ini"="5/29/2019 3:54 PM, 1844 bytes, A Adds the file langs.db"="6/24/2019 5:44 PM, 486400 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="7/29/2019 4:50 PM, 184496 bytes, A Adds the file NAudio.dll"="7/29/2019 4:50 PM, 484528 bytes, A Adds the file Newtonsoft.Json.dll"="7/29/2019 4:50 PM, 474288 bytes, A Adds the file norwegian_iss.ini"="5/29/2019 3:54 PM, 2358 bytes, A Adds the file portuguese_iss.ini"="5/29/2019 3:54 PM, 2424 bytes, A Adds the file rgcl.exe"="7/29/2019 4:50 PM, 2037936 bytes, A Adds the file rgcl.exe.config"="7/29/2019 4:50 PM, 4601 bytes, A Adds the file rpics.dll"="7/29/2019 4:50 PM, 787120 bytes, A Adds the file russian_iss.ini"="5/29/2019 3:54 PM, 2494 bytes, A Adds the file spanish_iss.ini"="5/29/2019 3:54 PM, 2548 bytes, A Adds the file swedish_iss.ini"="5/29/2019 3:54 PM, 2270 bytes, A Adds the file System.Data.SQLite.DLL"="7/29/2019 4:50 PM, 304304 bytes, A Adds the file TAFactory.IconPack.dll"="7/29/2019 4:50 PM, 50352 bytes, A Adds the file unins000.dat"="8/12/2019 8:47 AM, 75329 bytes, A Adds the file unins000.exe"="8/12/2019 8:47 AM, 1371824 bytes, A Adds the file unins000.msg"="8/12/2019 8:47 AM, 22701 bytes, A Adds the folder C:\Program Files\Xtron-Cleanup-Pro_{username}\x64 Adds the file SQLite.Interop.dll"="7/29/2019 4:50 PM, 1189040 bytes, A Adds the folder C:\Program Files\Xtron-Cleanup-Pro_{username}\x86 Adds the file SQLite.Interop.dll"="7/29/2019 4:50 PM, 868016 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Xtron-Cleanup-Pro_{username} Adds the file Buy Xtron-Cleanup-Pro.lnk"="8/12/2019 8:47 AM, 951 bytes, A Adds the file Uninstall Xtron-Cleanup-Pro.lnk"="8/12/2019 8:47 AM, 963 bytes, A Adds the file Xtron-Cleanup-Pro.lnk"="8/12/2019 8:47 AM, 939 bytes, A Adds the folder C:\ProgramData\Xtron-Cleanup-Pro_{username} Adds the file mdb.db"="6/25/2019 6:28 PM, 6643712 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Xtron-Cleanup-Pro_{username} Adds the file aptnotfr.xml"="8/12/2019 8:48 AM, 8512 bytes, A Adds the file Errorlog.txt"="8/12/2019 8:54 AM, 30924 bytes, A Adds the file exlist.bin"="8/12/2019 8:48 AM, 257909 bytes, A Adds the file res.xml"="8/12/2019 8:53 AM, 29152 bytes, A Adds the file upt.xml"="8/12/2019 8:48 AM, 25772 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Xtron-Cleanup-Pro_{username}\smico In the existing folder C:\Users\Public\Desktop Adds the file Xtron-Cleanup-Pro.lnk"="8/12/2019 8:47 AM, 921 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Xtron-Cleanup-Pro_Logon"="8/12/2019 8:48 AM, 3064 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E2C70A85-8F78-4434-B5D7-3EB8102FB5ED}_is1] "DisplayIcon"="REG_SZ", "C:\Program Files\Xtron-Cleanup-Pro_{username}\rgcl.exe" "DisplayName"="REG_SZ", "Xtron-Cleanup-Pro" "DisplayVersion"="REG_SZ", "1.0.0.0" "EstimatedSize"="REG_DWORD", 16054 "Inno Setup: App Path"="REG_SZ", "C:\Program Files\Xtron-Cleanup-Pro_{username}" "Inno Setup: Icon Group"="REG_SZ", "Xtron-Cleanup-Pro_{username}" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.8 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20190812" "InstallLocation"="REG_SZ", "C:\Program Files\Xtron-Cleanup-Pro_{username}\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "QuietUninstallString"="REG_SZ", ""C:\Program Files\Xtron-Cleanup-Pro_{username}\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files\Xtron-Cleanup-Pro_{username}\unins000.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\WHRyb24tQ2xlYW51cC1Qcm8=\ACT] "data"="REG_BINARY, ............................................................................................ [HKEY_LOCAL_MACHINE\SOFTWARE\xsc-pr] "btnid"="REG_SZ", "" "country"="REG_SZ", "us" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "pxl"="REG_SZ", "" "referUrl"="REG_SZ", "" "TELNO"="REG_SZ", "" "utm_campaign"="REG_SZ", "" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "" "utm_source"="REG_SZ", "" "x-at"="REG_SZ", "" "x-context"="REG_SZ", "" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Xtron-Cleanup-Pro_{username}] "affired"="REG_DWORD", 1 "afterInstallUrl"="REG_SZ", "http://ins.instant-boost.xyz/install/xcp/?" "apst"="REG_DWORD", 0 "cbkpoff"="REG_DWORD", 1 "country"="REG_SZ", "us" "cta"="REG_DWORD", 0 "delayfront"="REG_DWORD", 0 "delaytime"="REG_DWORD", 0 "dlllist"="REG_SZ", "PSMACHINE_64.DLL,MSSPELLCHECKINGFACILITY.DLL" "EmailURL"="REG_SZ", "" "expired"="REG_DWORD", 0 "hdata"="REG_BINARY, .................................................................................. "Installstring"="REG_SZ", "C:\Program Files\Xtron-Cleanup-Pro_{username}" "ipaddrurl"="REG_SZ", "http://ins.instant-boost.xyz/getip/" "isavst"="REG_DWORD", 0 "isiunidu"="REG_DWORD", 0 "isprmjsn"="REG_DWORD", 0 "isshowng"="REG_DWORD", 1 "issilent"="REG_DWORD", 0 "ISTELNO"="REG_DWORD", 0 "LangCode"="REG_SZ", "en" "lstregscancount"="REG_DWORD", 74 "lstscandate"="REG_SZ", "8/12/2019 8:53:18 AM" "lstscanstat"="REG_DWORD", 2 "lstsecscancount"="REG_DWORD", 0 "lsttotalscancount"="REG_DWORD", 74 "ovoffdis"="REG_DWORD", 0 "paramurl"="REG_SZ", "http://trkr.xscactiv.com/ipfiles/" "pdtm"="REG_DWORD", 30 "playsound"="REG_DWORD", 1 "prereg"="REG_DWORD", 0 "PurchaseURL"="REG_SZ", "http://www.syscarestore.com/xcp/price?" "reg"="REG_DWORD", 0 "RenewURL"="REG_SZ", "http://www.syscarestore.com/xcp/renewal?" "runcam"="REG_DWORD", 1 "runpixel"="REG_DWORD", 1 "runsrc"="REG_DWORD", 1 "showtn"="REG_DWORD", 0 "showunins"="REG_DWORD", 0 "showwfo"="REG_DWORD", 0 "stdismax"="REG_DWORD", -1 "supporturl"="REG_SZ", "http://www.instant-boost.xyz/help/" "TELNO"="REG_SZ", "855-446-9808" "TELNO_ar"="REG_SZ", "" "TELNO_at"="REG_SZ", "" "TELNO_au"="REG_SZ", "" "TELNO_be"="REG_SZ", "" "TELNO_br"="REG_SZ", "" "TELNO_ca"="REG_SZ", "855-446-9808" "TELNO_ch"="REG_SZ", "" "TELNO_de"="REG_SZ", "" "TELNO_dk"="REG_SZ", "" "TELNO_es"="REG_SZ", "" "TELNO_fi"="REG_SZ", "" "TELNO_fr"="REG_SZ", "" "TELNO_gb"="REG_SZ", "" "TELNO_it"="REG_SZ", "" "TELNO_ja"="REG_SZ", "" "TELNO_lu"="REG_SZ", "" "TELNO_nl"="REG_SZ", "" "TELNO_no"="REG_SZ", "" "TELNO_pt"="REG_SZ", "" "TELNO_se"="REG_SZ", "" "TELNO_uk"="REG_SZ", "" "TELNO_us"="REG_SZ", "855-446-9808" "WebURL"="REG_SZ", "http://www.instant-boost.xyz/" "wfoset"="REG_DWORD", 1 "x-ccode"="REG_SZ", "us" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "89_18_17_140" [HKEY_CURRENT_USER\Software\Xtron-Cleanup-Pro_{username}] "affiliateid"="REG_SZ", "" "InstallString"="REG_SZ", "C:\Program Files\Xtron-Cleanup-Pro_{username}" "LangCode"="REG_SZ", "en" "utm_medium"="REG_SZ", "" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "89_187_178_140" [HKEY_CURRENT_USER\Software\Xtron-Cleanup-Pro_{username}\1.0.0.0] "Installstring"="REG_SZ", "C:\Program Files\Xtron-Cleanup-Pro_{username}" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/12/19 Scan Time: 9:01 AM Log File: fb2e035d-bcce-11e9-95d2-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.11968 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236734 Threats Detected: 72 Threats Quarantined: 72 Time Elapsed: 7 min, 37 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\rgcl.exe, Quarantined, [470], [717828],1.0.11968 Module: 6 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\x64\SQLite.Interop.dll, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\Interop.IWshRuntimeLibrary.dll, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\rgcl.exe, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\System.Data.SQLite.DLL, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\TAFactory.IconPack.dll, Quarantined, [470], [717828],1.0.11968 Registry Key: 8 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Xtron-Cleanup-Pro_Logon, Quarantined, [470], [698852],1.0.11968 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{111B3651-C6B0-45C9-96B7-E0D081F3ABF1}, Quarantined, [470], [698852],1.0.11968 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{111B3651-C6B0-45C9-96B7-E0D081F3ABF1}, Quarantined, [470], [698852],1.0.11968 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{E2C70A85-8F78-4434-B5D7-3EB8102FB5ED}_is1, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, HKCU\SOFTWARE\Xtron-Cleanup-Pro_{username}, Quarantined, [470], [717827],1.0.11968 PUP.Optional.PCVARK, HKLM\SOFTWARE\WHRyb24tQ2xlYW51cC1Qcm8=, Quarantined, [470], [698859],1.0.11968 PUP.Optional.PCVARK, HKLM\SOFTWARE\XSC-PR, Quarantined, [470], [698879],1.0.11968 PUP.Optional.PCVARK, HKLM\SOFTWARE\Xtron-Cleanup-Pro_{username}, Quarantined, [470], [717825],1.0.11968 Registry Value: 4 PUP.Optional.PCVARK, HKCU\SOFTWARE\Xtron-Cleanup-Pro_{username}|AFFILIATEID, Quarantined, [470], [717827],1.0.11968 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{111B3651-C6B0-45C9-96B7-E0D081F3ABF1}|PATH, Quarantined, [470], [698854],1.0.11968 PUP.Optional.PCVARK, HKLM\SOFTWARE\XSC-PR|UTM_CAMPAIGN, Quarantined, [470], [698879],1.0.11968 PUP.Optional.PCVARK, HKLM\SOFTWARE\Xtron-Cleanup-Pro_{username}|AFFIRED, Quarantined, [470], [717825],1.0.11968 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 PUP.Optional.PCVARK, C:\PROGRAMDATA\Xtron-Cleanup-Pro_{username}, Quarantined, [470], [717830],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\x64, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\x86, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\PROGRAM FILES\Xtron-Cleanup-Pro_{username}, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\Xtron-Cleanup-Pro_{username}, Quarantined, [470], [717829],1.0.11968 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Xtron-Cleanup-Pro_{username}\smico, Quarantined, [470], [717831],1.0.11968 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\Xtron-Cleanup-Pro_{username}, Quarantined, [470], [717831],1.0.11968 File: 46 PUP.Optional.PCVARK, C:\PROGRAMDATA\Xtron-Cleanup-Pro_{username}\mdb.db, Quarantined, [470], [717830],1.0.11968 PUP.Optional.PCVARK, C:\WINDOWS\SYSTEM32\TASKS\Xtron-Cleanup-Pro_Logon, Quarantined, [470], [698852],1.0.11968 PUP.Optional.PCVARK, C:\USERS\PUBLIC\DESKTOP\Xtron-Cleanup-Pro.lnk, Quarantined, [470], [717832],1.0.11968 PUP.Optional.PCVARK, C:\PROGRAM FILES\Xtron-Cleanup-Pro_{username}\unins000.dat, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\x64\SQLite.Interop.dll, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\x86\SQLite.Interop.dll, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\langs.db, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\application.ico, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\danish_iss.ini, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\Dutch_iss.ini, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\english_iss.ini, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\finish_iss.ini, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\French_iss.ini, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\german_iss.ini, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\HtmlRenderer.dll, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\HtmlRenderer.WinForms.dll, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\Interop.IWshRuntimeLibrary.dll, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\Interop.SHDocVw.dll, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\italian_iss.ini, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\japanese_iss.ini, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\NAudio.dll, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\Newtonsoft.Json.dll, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\norwegian_iss.ini, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\portuguese_iss.ini, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\rgcl.exe, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\rgcl.exe.config, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\rpics.dll, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\russian_iss.ini, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\spanish_iss.ini, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\swedish_iss.ini, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\System.Data.SQLite.DLL, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\TAFactory.IconPack.dll, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\unins000.exe, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\Program Files\Xtron-Cleanup-Pro_{username}\unins000.msg, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\Xtron-Cleanup-Pro.lnk, Quarantined, [470], [717828],1.0.11968 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\Xtron-Cleanup-Pro_{username}\Buy Xtron-Cleanup-Pro.lnk, Quarantined, [470], [717829],1.0.11968 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Xtron-Cleanup-Pro_{username}\Uninstall Xtron-Cleanup-Pro.lnk, Quarantined, [470], [717829],1.0.11968 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Xtron-Cleanup-Pro_{username}\Xtron-Cleanup-Pro.lnk, Quarantined, [470], [717829],1.0.11968 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\Xtron-Cleanup-Pro_{username}\Errorlog.txt, Quarantined, [470], [717831],1.0.11968 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Xtron-Cleanup-Pro_{username}\aptnotfr.xml, Quarantined, [470], [717831],1.0.11968 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Xtron-Cleanup-Pro_{username}\exlist.bin, Quarantined, [470], [717831],1.0.11968 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Xtron-Cleanup-Pro_{username}\res.xml, Quarantined, [470], [717831],1.0.11968 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Xtron-Cleanup-Pro_{username}\upt.xml, Quarantined, [470], [717831],1.0.11968 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\LOCAL\TEMP\IS-R5TVK.TMP\XTRON-CLEANUP-PRO SETUP .TMP, Quarantined, [470], [698868],1.0.11968 PUP.Optional.PCVARK, C:\USERS\{username}\DESKTOP\XTRON-CLEANUP-PRO SETUP .EXE, Quarantined, [470], [698868],1.0.11968 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  6. What is Xtron Optimizer Pro?The Malwarebytes research team has determined that Xtron Optimizer Pro is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with Xtron Optimizer Pro?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see these warnings during install:and this type of screens during "operations":You may see this entry in your list of installed programs:and this task in your list of Scheduled Tasks:How did Xtron Optimizer Pro get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove Xtron Optimizer Pro?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Xtron Optimizer Pro? No, Malwarebytes removes Xtron Optimizer Pro completely. This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the Xtron Optimizer Pro installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: (ADVANCED PC UTILITIES -> ) C:\Program Files\Xtron- Optimizer-Pro_{username}\rgcl.exe Task: {6587CF3A-F150-43D0-BA88-FEBBAA37257D} - System32\Tasks\Xtron- Optimizer-Pro_Logon => C:\Program Files\Xtron- Optimizer-Pro_{username}\rgcl.exe [2048032 2019-08-07] (ADVANCED PC UTILITIES -> ) C:\Windows\System32\Tasks\Xtron- Optimizer-Pro_Logon C:\Users\{username}\AppData\Roaming\Xtron- Optimizer-Pro_{username} C:\Users\Public\Desktop\Xtron- Optimizer-Pro.lnk C:\ProgramData\Xtron- Optimizer-Pro_{username} C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Xtron- Optimizer-Pro_{username} C:\Program Files\Xtron- Optimizer-Pro_{username} Xtron- Optimizer-Pro (HKLM\...\{341EE7CC-AA90-42F1-B889-4B35572073D1}_is1) (Version: 1.0.0.6 - ) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\Xtron- Optimizer-Pro_{username} Adds the file application.ico"="6/10/2019 11:42 AM, 185552 bytes, A Adds the file english_iss.ini"="5/29/2019 3:54 PM, 2256 bytes, A Adds the file HtmlRenderer.dll"="8/7/2019 12:13 PM, 235040 bytes, A Adds the file HtmlRenderer.WinForms.dll"="8/7/2019 12:13 PM, 73760 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="8/7/2019 12:13 PM, 62496 bytes, A Adds the file Interop.SHDocVw.dll"="8/7/2019 12:13 PM, 177184 bytes, A Adds the file langs.db"="6/24/2019 5:44 PM, 486400 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="8/7/2019 12:13 PM, 184352 bytes, A Adds the file NAudio.dll"="8/7/2019 12:13 PM, 484384 bytes, A Adds the file Newtonsoft.Json.dll"="8/7/2019 12:13 PM, 474144 bytes, A Adds the file pmgr.dll"="8/7/2019 12:13 PM, 786976 bytes, A Adds the file rgcl.exe"="8/7/2019 12:13 PM, 2048032 bytes, A Adds the file rgcl.exe.config"="8/7/2019 12:13 PM, 4557 bytes, A Adds the file System.Data.SQLite.DLL"="8/7/2019 12:13 PM, 304160 bytes, A Adds the file TAFactory.IconPack.dll"="8/7/2019 12:13 PM, 50208 bytes, A Adds the file unins000.dat"="8/9/2019 9:08 AM, 75779 bytes, A Adds the file unins000.exe"="8/9/2019 9:07 AM, 1371680 bytes, A Adds the file unins000.msg"="8/9/2019 9:08 AM, 22701 bytes, A Adds the folder C:\Program Files\Xtron- Optimizer-Pro_{username}\x64 Adds the file SQLite.Interop.dll"="8/7/2019 12:13 PM, 1188896 bytes, A Adds the folder C:\Program Files\Xtron- Optimizer-Pro_{username}\x86 Adds the file SQLite.Interop.dll"="8/7/2019 12:13 PM, 867872 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Xtron- Optimizer-Pro_{username} Adds the file Buy Xtron- Optimizer-Pro.lnk"="8/9/2019 9:08 AM, 972 bytes, A Adds the file Uninstall Xtron- Optimizer-Pro.lnk"="8/9/2019 9:08 AM, 984 bytes, A Adds the file Xtron- Optimizer-Pro.lnk"="8/9/2019 9:08 AM, 960 bytes, A Adds the folder C:\ProgramData\Xtron- Optimizer-Pro_{username} Adds the file mdb.db"="6/25/2019 6:28 PM, 6643712 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Xtron- Optimizer-Pro_{username} Adds the file aptnotfr.xml"="8/9/2019 9:09 AM, 7487 bytes, A Adds the file Errorlog.txt"="8/9/2019 9:16 AM, 21548 bytes, A Adds the file exlist.bin"="8/9/2019 9:09 AM, 257915 bytes, A Adds the file res.xml"="8/9/2019 9:12 AM, 14669 bytes, A Adds the file upt.xml"="8/9/2019 9:09 AM, 23206 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Xtron- Optimizer-Pro_{username}\smico In the existing folder C:\Users\Public\Desktop Adds the file Xtron- Optimizer-Pro.lnk"="8/9/2019 9:08 AM, 942 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Xtron- Optimizer-Pro_Logon"="8/9/2019 9:09 AM, 3070 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{341EE7CC-AA90-42F1-B889-4B35572073D1}_is1] "DisplayIcon"="REG_SZ", "C:\Program Files\Xtron- Optimizer-Pro_{username}\rgcl.exe" "DisplayName"="REG_SZ", "Xtron- Optimizer-Pro" "DisplayVersion"="REG_SZ", "1.0.0.6" "EstimatedSize"="REG_DWORD", 16062 "Inno Setup: App Path"="REG_SZ", "C:\Program Files\Xtron- Optimizer-Pro_{username}" "Inno Setup: Icon Group"="REG_SZ", "Xtron- Optimizer-Pro_{username}" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.8 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20190809" "InstallLocation"="REG_SZ", "C:\Program Files\Xtron- Optimizer-Pro_{username}\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "QuietUninstallString"="REG_SZ", ""C:\Program Files\Xtron- Optimizer-Pro_{username}\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files\Xtron- Optimizer-Pro_{username}\unins000.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\WHRyb24tIE9wdGltaXplci1Qcm8=\ACT] "data"="REG_BINARY, ............................................................................................................................................................................................................................................................................................................................................................................_............................... [HKEY_LOCAL_MACHINE\SOFTWARE\xsc-pr] "btnid"="REG_SZ", "" "country"="REG_SZ", "us" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "pxl"="REG_SZ", "" "referUrl"="REG_SZ", "" "TELNO"="REG_SZ", "" "utm_campaign"="REG_SZ", "" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "" "utm_source"="REG_SZ", "" "x-at"="REG_SZ", "" "x-context"="REG_SZ", "" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Xtron- Optimizer-Pro_{username}] "affired"="REG_DWORD", 1 "afterInstallUrl"="REG_SZ", "http://ins.pc-booster.xyz/install/xop/?" "apst"="REG_DWORD", 0 "cbkpoff"="REG_DWORD", 1 "country"="REG_SZ", "us" "cta"="REG_DWORD", 0 "delayfront"="REG_DWORD", 0 "delaytime"="REG_DWORD", 0 "dlllist"="REG_SZ", "PSMACHINE_64.DLL,MSSPELLCHECKINGFACILITY.DLL" "EmailURL"="REG_SZ", "" "expired"="REG_DWORD", 0 "hdata"="REG_BINARY, ......................................................................................................................................................................................................................................................................................................................................... "Installstring"="REG_SZ", "C:\Program Files\Xtron- Optimizer-Pro_{username}" "ipaddrurl"="REG_SZ", "http://ins.pc-booster.xyz/getip/" "isavst"="REG_DWORD", 0 "isiunidu"="REG_DWORD", 0 "isprmjsn"="REG_DWORD", 0 "isshowng"="REG_DWORD", 1 "issilent"="REG_DWORD", 0 "ISTELNO"="REG_DWORD", 0 "LangCode"="REG_SZ", "en" "lstregscancount"="REG_DWORD", 37 "lstscandate"="REG_SZ", "8/9/2019 9:12:16 AM" "lstscanstat"="REG_DWORD", 2 "lstsecscancount"="REG_DWORD", 0 "lsttotalscancount"="REG_DWORD", 37 "ovoffdis"="REG_DWORD", 0 "paramurl"="REG_SZ", "http://trkr.xscactiv.com/ipfiles/" "pdtm"="REG_DWORD", 30 "playsound"="REG_DWORD", 1 "prereg"="REG_DWORD", 0 "PurchaseURL"="REG_SZ", "http://www.syscarestore.com/xop/price?" "reg"="REG_DWORD", 0 "RenewURL"="REG_SZ", "http://www.syscarestore.com/xop/renewal?" "runcam"="REG_DWORD", 1 "runpixel"="REG_DWORD", 1 "runsrc"="REG_DWORD", 1 "showtn"="REG_DWORD", 0 "showunins"="REG_DWORD", 0 "showwfo"="REG_DWORD", 0 "stdismax"="REG_DWORD", -1 "supporturl"="REG_SZ", "http://www.pc-booster.xyz/help/" "TELNO"="REG_SZ", "855-446-9808" "TELNO_ar"="REG_SZ", "" "TELNO_at"="REG_SZ", "" "TELNO_au"="REG_SZ", "" "TELNO_be"="REG_SZ", "" "TELNO_br"="REG_SZ", "" "TELNO_ca"="REG_SZ", "855-446-9808" "TELNO_ch"="REG_SZ", "" "TELNO_de"="REG_SZ", "" "TELNO_dk"="REG_SZ", "" "TELNO_es"="REG_SZ", "" "TELNO_fi"="REG_SZ", "" "TELNO_fr"="REG_SZ", "" "TELNO_gb"="REG_SZ", "" "TELNO_it"="REG_SZ", "" "TELNO_ja"="REG_SZ", "" "TELNO_lu"="REG_SZ", "" "TELNO_nl"="REG_SZ", "" "TELNO_no"="REG_SZ", "" "TELNO_pt"="REG_SZ", "" "TELNO_se"="REG_SZ", "" "TELNO_uk"="REG_SZ", "" "TELNO_us"="REG_SZ", "855-446-9808" "WebURL"="REG_SZ", "http://www.pc-booster.xyz/" "wfoset"="REG_DWORD", 1 "x-ccode"="REG_SZ", "us" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "89_18_18_220" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/9/19 Scan Time: 9:27 AM Log File: 3587be45-ba77-11e9-a7fc-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.11928 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236611 Threats Detected: 71 Threats Quarantined: 71 Time Elapsed: 7 min, 27 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\rgcl.exe, Quarantined, [470], [717840],1.0.11928 Module: 6 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\x64\SQLite.Interop.dll, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\Interop.IWshRuntimeLibrary.dll, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\rgcl.exe, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\System.Data.SQLite.DLL, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\TAFactory.IconPack.dll, Quarantined, [470], [717840],1.0.11928 Registry Key: 8 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Xtron- Optimizer-Pro_Logon, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{6587CF3A-F150-43D0-BA88-FEBBAA37257D}, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{6587CF3A-F150-43D0-BA88-FEBBAA37257D}, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{341EE7CC-AA90-42F1-B889-4B35572073D1}_is1, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, HKCU\SOFTWARE\Xtron- Optimizer-Pro_{username}, Quarantined, [470], [717841],1.0.11928 PUP.Optional.PCVARK, HKLM\SOFTWARE\WHRyb24tIE9wdGltaXplci1Qcm8=, Quarantined, [470], [698859],1.0.11928 PUP.Optional.PCVARK, HKLM\SOFTWARE\XSC-PR, Quarantined, [470], [698879],1.0.11928 PUP.Optional.PCVARK, HKLM\SOFTWARE\Xtron- Optimizer-Pro_{username}, Quarantined, [470], [717842],1.0.11928 Registry Value: 4 PUP.Optional.PCVARK, HKCU\SOFTWARE\Xtron- Optimizer-Pro_{username}|AFFILIATEID, Quarantined, [470], [717841],1.0.11928 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{6587CF3A-F150-43D0-BA88-FEBBAA37257D}|PATH, Quarantined, [470], [698854],1.0.11928 PUP.Optional.PCVARK, HKLM\SOFTWARE\XSC-PR|UTM_CAMPAIGN, Quarantined, [470], [698879],1.0.11928 PUP.Optional.PCVARK, HKLM\SOFTWARE\Xtron- Optimizer-Pro_{username}|AFFIRED, Quarantined, [470], [717842],1.0.11928 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\x64, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\x86, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\PROGRAM FILES\Xtron- Optimizer-Pro_{username}, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\PROGRAMDATA\Xtron- Optimizer-Pro_{username}, Quarantined, [470], [717838],1.0.11928 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Xtron- Optimizer-Pro_{username}\smico, Quarantined, [470], [717837],1.0.11928 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\Xtron- Optimizer-Pro_{username}, Quarantined, [470], [717837],1.0.11928 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\Xtron- Optimizer-Pro_{username}, Quarantined, [470], [717839],1.0.11928 File: 45 PUP.Optional.PCVARK, C:\PROGRAM FILES\Xtron- Optimizer-Pro_{username}\unins000.dat, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\x64\SQLite.Interop.dll, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\x86\SQLite.Interop.dll, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\langs.db, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\application.ico, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\danish_iss.ini, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\Dutch_iss.ini, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\english_iss.ini, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\finish_iss.ini, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\French_iss.ini, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\german_iss.ini, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\HtmlRenderer.dll, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\HtmlRenderer.WinForms.dll, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\Interop.IWshRuntimeLibrary.dll, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\Interop.SHDocVw.dll, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\italian_iss.ini, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\japanese_iss.ini, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\NAudio.dll, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\Newtonsoft.Json.dll, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\norwegian_iss.ini, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\pmgr.dll, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\portuguese_iss.ini, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\rgcl.exe, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\rgcl.exe.config, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\russian_iss.ini, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\spanish_iss.ini, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\swedish_iss.ini, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\System.Data.SQLite.DLL, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\TAFactory.IconPack.dll, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\unins000.exe, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\Program Files\Xtron- Optimizer-Pro_{username}\unins000.msg, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\WINDOWS\SYSTEM32\TASKS\Xtron- Optimizer-Pro_Logon, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\Xtron- Optimizer-Pro.lnk, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\USERS\PUBLIC\Desktop\Xtron- Optimizer-Pro.lnk, Quarantined, [470], [717840],1.0.11928 PUP.Optional.PCVARK, C:\PROGRAMDATA\Xtron- Optimizer-Pro_{username}\mdb.db, Quarantined, [470], [717838],1.0.11928 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\Xtron- Optimizer-Pro_{username}\Errorlog.txt, Quarantined, [470], [717837],1.0.11928 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Xtron- Optimizer-Pro_{username}\aptnotfr.xml, Quarantined, [470], [717837],1.0.11928 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Xtron- Optimizer-Pro_{username}\exlist.bin, Quarantined, [470], [717837],1.0.11928 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Xtron- Optimizer-Pro_{username}\res.xml, Quarantined, [470], [717837],1.0.11928 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Xtron- Optimizer-Pro_{username}\upt.xml, Quarantined, [470], [717837],1.0.11928 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\Xtron- Optimizer-Pro_{username}\Buy Xtron- Optimizer-Pro.lnk, Quarantined, [470], [717839],1.0.11928 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Xtron- Optimizer-Pro_{username}\Uninstall Xtron- Optimizer-Pro.lnk, Quarantined, [470], [717839],1.0.11928 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Xtron- Optimizer-Pro_{username}\Xtron- Optimizer-Pro.lnk, Quarantined, [470], [717839],1.0.11928 PUP.Optional.PCVARK, C:\USERS\{username}\DESKTOP\XTRON- OPTIMIZER-PRO SETUP.EXE, Quarantined, [470], [649610],1.0.11928 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  7. What is Docset?The Malwarebytes research team has determined that Docset is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Docset?You may see this entry in your list of installed Chrome extensions:and these warnings during install:How did Docset get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Docset?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Docset? No, Malwarebytes removes Docset completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Docset hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR Extension: (Docset) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpnndfekemedjpbkbncodpefimlfmbi [2019-08-08] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpnndfekemedjpbkbncodpefimlfmbi\3.3.4_0 Adds the file background.js"="8/8/2019 12:28 PM, 5382 bytes, A Adds the file manifest.json"="8/8/2019 9:06 AM, 1713 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpnndfekemedjpbkbncodpefimlfmbi\3.3.4_0\_metadata Adds the file computed_hashes.json"="8/8/2019 9:06 AM, 404 bytes, A Adds the file verified_contents.json"="8/8/2019 12:28 PM, 1648 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpnndfekemedjpbkbncodpefimlfmbi\3.3.4_0\icons Adds the file icon128.png"="8/8/2019 9:06 AM, 2188 bytes, A Adds the file icon48.png"="8/8/2019 9:06 AM, 253 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjpnndfekemedjpbkbncodpefimlfmbi Adds the file 000003.log"="8/8/2019 9:09 AM, 0 bytes, A Adds the file CURRENT"="8/8/2019 9:09 AM, 16 bytes, A Adds the file LOCK"="8/8/2019 9:09 AM, 0 bytes, A Adds the file LOG"="8/8/2019 9:09 AM, 0 bytes, A Adds the file MANIFEST-000001"="8/8/2019 9:09 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "cjpnndfekemedjpbkbncodpefimlfmbi"="REG_SZ", "46D6156A281ACFD964EF465BB90364F33D86FFC45A0EB09FDCCC3154C5FAAB21" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/8/19 Scan Time: 9:16 AM Log File: 75f7a975-b9ac-11e9-a53a-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.11908 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236368 Threats Detected: 19 Threats Quarantined: 19 Time Elapsed: 6 min, 42 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.QuickGoSearch, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|cjpnndfekemedjpbkbncodpefimlfmbi, Quarantined, [352], [663238],1.0.11908 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 5 PUP.Optional.QuickGoSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\cjpnndfekemedjpbkbncodpefimlfmbi, Quarantined, [352], [663238],1.0.11908 PUP.Optional.QuickGoSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpnndfekemedjpbkbncodpefimlfmbi\3.3.4_0\_metadata, Quarantined, [352], [663238],1.0.11908 PUP.Optional.QuickGoSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpnndfekemedjpbkbncodpefimlfmbi\3.3.4_0\icons, Quarantined, [352], [663238],1.0.11908 PUP.Optional.QuickGoSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpnndfekemedjpbkbncodpefimlfmbi\3.3.4_0, Quarantined, [352], [663238],1.0.11908 PUP.Optional.QuickGoSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CJPNNDFEKEMEDJPBKBNCODPEFIMLFMBI, Quarantined, [352], [663238],1.0.11908 File: 13 PUP.Optional.QuickGoSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjpnndfekemedjpbkbncodpefimlfmbi\000003.log, Quarantined, [352], [663238],1.0.11908 PUP.Optional.QuickGoSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjpnndfekemedjpbkbncodpefimlfmbi\CURRENT, Quarantined, [352], [663238],1.0.11908 PUP.Optional.QuickGoSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjpnndfekemedjpbkbncodpefimlfmbi\LOCK, Quarantined, [352], [663238],1.0.11908 PUP.Optional.QuickGoSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjpnndfekemedjpbkbncodpefimlfmbi\LOG, Quarantined, [352], [663238],1.0.11908 PUP.Optional.QuickGoSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjpnndfekemedjpbkbncodpefimlfmbi\MANIFEST-000001, Quarantined, [352], [663238],1.0.11908 PUP.Optional.QuickGoSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [352], [663238],1.0.11908 PUP.Optional.QuickGoSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [352], [663238],1.0.11908 PUP.Optional.QuickGoSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CJPNNDFEKEMEDJPBKBNCODPEFIMLFMBI\3.3.4_0\MANIFEST.JSON, Quarantined, [352], [663238],1.0.11908 PUP.Optional.QuickGoSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpnndfekemedjpbkbncodpefimlfmbi\3.3.4_0\icons\icon128.png, Quarantined, [352], [663238],1.0.11908 PUP.Optional.QuickGoSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpnndfekemedjpbkbncodpefimlfmbi\3.3.4_0\icons\icon48.png, Quarantined, [352], [663238],1.0.11908 PUP.Optional.QuickGoSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpnndfekemedjpbkbncodpefimlfmbi\3.3.4_0\_metadata\computed_hashes.json, Quarantined, [352], [663238],1.0.11908 PUP.Optional.QuickGoSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpnndfekemedjpbkbncodpefimlfmbi\3.3.4_0\_metadata\verified_contents.json, Quarantined, [352], [663238],1.0.11908 PUP.Optional.QuickGoSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpnndfekemedjpbkbncodpefimlfmbi\3.3.4_0\background.js, Quarantined, [352], [663238],1.0.11908 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  8. What is PDF Converter by Safely?The Malwarebytes research team has determined that PDF Converter by Safely is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by PDF Converter by Safely?You may see these new browser extensions/add-ons:and these warnings during install:You will see this icon in the browser's menu-bar:How did PDF Converter by Safely get on my computer?Browser hijackers use different methods for distributing themselves. The Chrome extension was downloaded from the webstore:after a redirect from their website:How do I remove PDF Converter by Safely?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of PDF Converter by Safely? No, Malwarebytes removes PDF Converter by Safely completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the PDF Converter by Safely hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: FF Extension: (PDF Converter by Safely) - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\{f459049d-939d-432e-83c7-07ced47e629a}.xpi [2019-08-07] [UpdateUrl:hxxps://addons.search-safely.net/pcff/updates.json] CHR DefaultSearchURL: Default -> hxxp://www.pdfsearchsafe.com/search/?category=web&s=g6ds&q={searchTerms} CHR DefaultSearchKeyword: Default -> PDF Converter CHR DefaultSuggestURL: Default -> hxxp://sug.pdfsearchsafe.com/search/index_sg.php?q={searchTerms} CHR Extension: (PDF Converter) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd [2019-08-07] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0 Adds the file config.js"="5/27/2019 11:10 AM, 1557 bytes, A Adds the file manifest.json"="8/7/2019 9:20 AM, 2135 bytes, A Adds the file rate.js"="5/27/2019 11:10 AM, 2585 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\_metadata Adds the file computed_hashes.json"="8/7/2019 9:20 AM, 10702 bytes, A Adds the file verified_contents.json"="6/25/2019 4:02 PM, 5796 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\bg Adds the file background.html"="5/27/2019 11:10 AM, 200 bytes, A Adds the file background.js"="6/23/2019 3:58 PM, 2217 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img Adds the file close-icon.png"="5/27/2019 11:10 AM, 230 bytes, A Adds the file cog-icon.png"="5/27/2019 11:10 AM, 393 bytes, A Adds the file icon128.png"="8/7/2019 9:20 AM, 2270 bytes, A Adds the file icon16.png"="8/7/2019 9:20 AM, 518 bytes, A Adds the file icon48.png"="8/7/2019 9:20 AM, 1069 bytes, A Adds the file pdf_converter_presentation2.gif"="5/27/2019 11:10 AM, 117798 bytes, A Adds the file type-jpg.svg"="5/27/2019 11:10 AM, 3521 bytes, A Adds the file type-pjpg.svg"="5/27/2019 11:10 AM, 4369 bytes, A Adds the file type-png.svg"="5/27/2019 11:10 AM, 3250 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img\rateshare Adds the file close.png"="5/27/2019 11:10 AM, 1920 bytes, A Adds the file rate.jpg"="5/27/2019 11:10 AM, 102155 bytes, A Adds the file rate1.png"="5/27/2019 11:10 AM, 12334 bytes, A Adds the file share.jpg"="5/27/2019 11:10 AM, 17633 bytes, A Adds the file share1.png"="5/27/2019 11:10 AM, 4466 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\inject Adds the file onInstallCallback.js"="5/27/2019 11:10 AM, 684 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery Adds the file jquery.cookie.js"="5/27/2019 11:10 AM, 4341 bytes, A Adds the file jquery.min.js"="5/27/2019 11:10 AM, 84249 bytes, A Adds the file jquery-ui.custom.min.js"="5/27/2019 11:10 AM, 228088 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\css Adds the file jquery-ui.custom.css"="5/27/2019 11:10 AM, 20579 bytes, A Adds the file override-page.css"="5/27/2019 11:10 AM, 5513 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\css\images Adds the file ui-bg_flat_55_999999_40x100.png"="5/27/2019 11:10 AM, 180 bytes, A Adds the file ui-bg_flat_75_aaaaaa_40x100.png"="5/27/2019 11:10 AM, 180 bytes, A Adds the file ui-bg_glass_45_0078ae_1x400.png"="5/27/2019 11:10 AM, 136 bytes, A Adds the file ui-bg_glass_55_f8da4e_1x400.png"="5/27/2019 11:10 AM, 131 bytes, A Adds the file ui-bg_glass_75_79c9ec_1x400.png"="5/27/2019 11:10 AM, 132 bytes, A Adds the file ui-bg_gloss-wave_50_38cfff_500x100.png"="5/27/2019 11:10 AM, 89 bytes, A Adds the file ui-bg_gloss-wave_75_2191c0_500x100.png"="5/27/2019 11:10 AM, 89 bytes, A Adds the file ui-bg_inset-hard_100_fcfdfd_1x100.png"="5/27/2019 11:10 AM, 88 bytes, A Adds the file ui-icons_056b93_256x240.png"="5/27/2019 11:10 AM, 5355 bytes, A Adds the file ui-icons_d8e7f3_256x240.png"="5/27/2019 11:10 AM, 4369 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file {f459049d-939d-432e-83c7-07ced47e629a}.xpi"="8/7/2019 9:30 AM, 468509 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "flihljijbojekggaafjfjfnfipamdndd"="REG_SZ", "106A231E5CEF9CC121B62F6BC36D05549DEC6BDC4558C0FB06A70114FD11A6CA" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/7/19 Scan Time: 12:09 PM Log File: 6a1ba558-b8fb-11e9-b68b-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.11896 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236317 Threats Detected: 53 Threats Quarantined: 53 Time Elapsed: 10 min, 22 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.Safely, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|flihljijbojekggaafjfjfnfipamdndd, Quarantined, [349], [717247],1.0.11896 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 10 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\css\images, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img\rateshare, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\css, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\_metadata, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\inject, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\bg, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FLIHLJIJBOJEKGGAAFJFJFNFIPAMDNDD, Quarantined, [349], [717247],1.0.11896 File: 42 PUP.Optional.Safely, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{PROFILE}.DEFAULT\EXTENSIONS\{F459049D-939D-432E-83C7-07CED47E629A}.XPI, Quarantined, [349], [672276],1.0.11896 PUP.Optional.Safely, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FLIHLJIJBOJEKGGAAFJFJFNFIPAMDNDD\1.0.0_0\MANIFEST.JSON, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\bg\background.html, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\bg\background.js, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img\rateshare\close.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img\rateshare\rate.jpg, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img\rateshare\rate1.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img\rateshare\share.jpg, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img\rateshare\share1.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img\close-icon.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img\cog-icon.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img\icon128.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img\icon16.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img\icon48.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img\pdf_converter_presentation2.gif, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img\type-jpg.svg, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img\type-pjpg.svg, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\img\type-png.svg, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\inject\onInstallCallback.js, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\css\images\ui-bg_flat_55_999999_40x100.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\css\images\ui-bg_flat_75_aaaaaa_40x100.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\css\images\ui-bg_glass_45_0078ae_1x400.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\css\images\ui-bg_glass_55_f8da4e_1x400.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\css\images\ui-bg_glass_75_79c9ec_1x400.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\css\images\ui-bg_gloss-wave_50_38cfff_500x100.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\css\images\ui-bg_gloss-wave_75_2191c0_500x100.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\css\images\ui-bg_inset-hard_100_fcfdfd_1x100.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\css\images\ui-icons_056b93_256x240.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\css\images\ui-icons_d8e7f3_256x240.png, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\css\jquery-ui.custom.css, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\css\override-page.css, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\jquery-ui.custom.min.js, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\jquery.cookie.js, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\jquery\jquery.min.js, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\_metadata\computed_hashes.json, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\_metadata\verified_contents.json, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\config.js, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\flihljijbojekggaafjfjfnfipamdndd\1.0.0_0\rate.js, Quarantined, [349], [717247],1.0.11896 PUP.Optional.Safely, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [349], [717248],1.0.11896 PUP.Optional.Safely, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [349], [717248],1.0.11896 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  9. What is Delete Facebook Messages?The Malwarebytes research team has determined that Delete Facebook Messages is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particualr one also changes the Newtab page.How do I know if my computer is affected by Delete Facebook Messages?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and these changed settings:How did Delete Facebook Messages get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Delete Facebook Messages?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Delete Facebook Messages? No, Malwarebytes removes Delete Facebook Messages completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Delete Facebook Messages hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR NewTab: Default -> Active:"chrome-extension://gclddpoljobheacaakifdocnknfcmeeh/newtab/index.html" CHR DefaultSearchURL: Default -> hxxps://dfbmsgs.com/search?q={searchTerms} CHR DefaultSearchKeyword: Default -> dfb CHR Extension: (DFB Search) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh [2019-08-06] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0 Adds the file background.html"="6/20/2019 11:56 PM, 123 bytes, A Adds the file manifest.json"="8/6/2019 8:56 AM, 1776 bytes, A Adds the file popup.html"="3/15/2019 2:23 PM, 2982 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\_metadata Adds the file computed_hashes.json"="8/6/2019 8:56 AM, 6823 bytes, A Adds the file verified_contents.json"="7/10/2019 9:34 AM, 3353 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\css Adds the file bootstrap.min.css"="11/21/2017 12:11 AM, 144302 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\icons Adds the file fb.png"="5/7/2019 10:09 AM, 4160 bytes, A Adds the file fb16.png"="6/10/2019 12:28 PM, 3613 bytes, A Adds the file icon.png"="8/6/2019 8:56 AM, 6461 bytes, A Adds the file no-image-icon-13.png"="7/8/2019 3:18 PM, 3107 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\js Adds the file angular.min.js"="8/13/2016 4:12 AM, 155877 bytes, A Adds the file archive.js"="6/4/2019 10:02 AM, 5608 bytes, A Adds the file background.js"="7/10/2019 9:21 AM, 2713 bytes, A Adds the file bootstrap.min.js"="2/12/2017 8:25 PM, 28669 bytes, A Adds the file fb - Copy.js"="11/21/2017 3:44 AM, 6055 bytes, A Adds the file fb.js"="6/4/2019 10:06 AM, 5604 bytes, A Adds the file is_sdk1.4.js"="6/20/2019 11:55 PM, 10215 bytes, A Adds the file jquery.min.js"="8/26/2016 10:35 PM, 83304 bytes, A Adds the file popup.js"="6/4/2019 10:01 AM, 3746 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\newtab Adds the file index.html"="7/8/2019 3:16 PM, 989 bytes, A Adds the file newtab.js"="7/8/2019 3:16 PM, 2057 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gclddpoljobheacaakifdocnknfcmeeh Adds the file 000003.log"="8/6/2019 8:56 AM, 68 bytes, A Adds the file CURRENT"="8/6/2019 8:56 AM, 16 bytes, A Adds the file LOCK"="8/6/2019 8:56 AM, 0 bytes, A Adds the file LOG"="8/6/2019 8:56 AM, 184 bytes, A Adds the file MANIFEST-000001"="8/6/2019 8:56 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "gclddpoljobheacaakifdocnknfcmeeh"="REG_SZ", "40D8E54D876A6CD3E345C26D20C51A76006A2A04CD61F108EFE26BFC23066DFF" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/6/19 Scan Time: 8:46 AM Log File: f4cdf3b8-b815-11e9-8e55-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.11876 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236347 Threats Detected: 38 Threats Quarantined: 38 Time Elapsed: 6 min, 42 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.UKTopFive, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|gclddpoljobheacaakifdocnknfcmeeh, Quarantined, [370], [674082],1.0.11876 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 8 PUP.Optional.UKTopFive, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\gclddpoljobheacaakifdocnknfcmeeh, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\_metadata, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\newtab, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\icons, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\css, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\js, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GCLDDPOLJOBHEACAAKIFDOCNKNFCMEEH, Quarantined, [370], [674082],1.0.11876 File: 29 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gclddpoljobheacaakifdocnknfcmeeh\000003.log, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gclddpoljobheacaakifdocnknfcmeeh\CURRENT, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gclddpoljobheacaakifdocnknfcmeeh\LOCK, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gclddpoljobheacaakifdocnknfcmeeh\LOG, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gclddpoljobheacaakifdocnknfcmeeh\LOG.old, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\gclddpoljobheacaakifdocnknfcmeeh\MANIFEST-000001, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GCLDDPOLJOBHEACAAKIFDOCNKNFCMEEH\3.0.3_0\MANIFEST.JSON, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\css\bootstrap.min.css, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\icons\fb.png, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\icons\fb16.png, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\icons\icon.png, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\icons\no-image-icon-13.png, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\js\angular.min.js, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\js\archive.js, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\js\background.js, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\js\bootstrap.min.js, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\js\fb - Copy.js, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\js\fb.js, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\js\is_sdk1.4.js, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\js\jquery.min.js, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\js\popup.js, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\newtab\index.html, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\newtab\newtab.js, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\_metadata\computed_hashes.json, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\_metadata\verified_contents.json, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\background.html, Quarantined, [370], [674082],1.0.11876 PUP.Optional.UKTopFive, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gclddpoljobheacaakifdocnknfcmeeh\3.0.3_0\popup.html, Quarantined, [370], [674082],1.0.11876 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  10. What is Shark PC Protector?The Malwarebytes research team has determined that Shark PC Protector is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with Shark PC Protector?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see these warnings during install:and this screen during "operations":You may see this entry in your list of installed programs:and this task in your list of Scheduled Tasks:How did Shark PC Protector get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove Shark PC Protector?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Shark PC Protector? No, Malwarebytes removes Shark PC Protector completely. This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the Shark PC Protector installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: (Econosoft Global Services PTE. LTD. -> Econosoft Global Services Pte. Ltd.) C:\Program Files (x86)\Shark PC Protector\sharkpcprotector.exe Task: {94427936-D024-4D0E-8A85-3496931204CE} - System32\Tasks\Shark PC Protector => C:\Program Files (x86)\Shark PC Protector\sharkpcprotector.exe [3240752 2019-06-06] (Econosoft Global Services PTE. LTD. -> Econosoft Global Services Pte. Ltd.) S2 COMServices; C:\Program Files (x86)\Shark PC Protector\svc//COMServices.exe [X] C:\Windows\System32\Tasks\Shark PC Protector C:\Users\Public\Desktop\Shark PC Protector.lnk C:\Users\{username}\AppData\Roaming\Shark PC Protector C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Shark PC Protector C:\Program Files (x86)\Shark PC Protector C:\Users\{username}\Downloads\Trojan.Worm.720266.msh C:\Users\{username}\Downloads\Trojan.Worm.361461.msh Shark PC Protector (HKLM-x32\...\{E6302A5A-54A4-4A53-9BE7-EA9AC128D298}}_is1) (Version: 1.0 - Econosoft Global Services Pte. Ltd.) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\Shark PC Protector Adds the file Interop.NATUPNPLib.dll"="4/19/2018 12:25 PM, 7168 bytes, A Adds the file Interop.NETCONLib.dll"="4/19/2018 12:25 PM, 9728 bytes, A Adds the file Interop.NetFwTypeLib.dll"="4/19/2018 12:25 PM, 19456 bytes, A Adds the file Interop.Shell32.dll"="4/19/2018 12:25 PM, 36864 bytes, A Adds the file Interop.WUApiLib.dll"="4/19/2018 12:25 PM, 73728 bytes, A Adds the file ksb.bat"="8/8/2018 9:05 PM, 208 bytes, A Adds the file logo.ico"="6/6/2019 2:49 PM, 21662 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="4/19/2018 12:31 PM, 171008 bytes, A Adds the file sharkpcprotector.exe"="6/6/2019 7:59 PM, 3240752 bytes, A Adds the file SharpCompress.dll"="4/19/2018 12:35 PM, 418304 bytes, A Adds the file Sys_Trace.xml"="4/19/2018 12:45 PM, 46 bytes, A Adds the file System.Data.SQLite.dll"="4/19/2018 12:45 PM, 353280 bytes, A Adds the file System.Data.SQLite.xml"="4/19/2018 12:45 PM, 1051056 bytes, A Adds the file unins000.dat"="8/5/2019 9:17 AM, 64650 bytes, A Adds the file unins000.exe"="8/5/2019 9:16 AM, 732976 bytes, A Adds the file unins000.msg"="8/5/2019 9:17 AM, 11573 bytes, A Adds the file WpfAnimatedGif.dll"="4/19/2018 12:20 PM, 28160 bytes, A Adds the file WPFToolkit.dll"="4/19/2018 12:20 PM, 467288 bytes, A Adds the folder C:\Program Files (x86)\Shark PC Protector\Backup Adds the folder C:\Program Files (x86)\Shark PC Protector\de Adds the file sharkpcprotector.resources.dll"="6/6/2019 7:58 PM, 29696 bytes, A Adds the folder C:\Program Files (x86)\Shark PC Protector\en Adds the file sharkpcprotector.resources.dll"="6/6/2019 7:58 PM, 27136 bytes, A Adds the folder C:\Program Files (x86)\Shark PC Protector\ja-jp Adds the file sharkpcprotector.resources.dll"="6/6/2019 7:58 PM, 33280 bytes, A Adds the folder C:\Program Files (x86)\Shark PC Protector\uni Adds the file System.Data.SQLite.dll"="4/19/2018 12:45 PM, 353280 bytes, A Adds the file System.Data.SQLite.xml"="4/19/2018 12:45 PM, 1051056 bytes, A Adds the file Uninstaller.exe"="6/6/2019 7:51 PM, 527152 bytes, A Adds the folder C:\Program Files (x86)\Shark PC Protector\uni\en Adds the file Uninstaller.resources.dll"="6/6/2019 7:51 PM, 25600 bytes, A Adds the folder C:\Program Files (x86)\Shark PC Protector\uni\ja-jp Adds the file Uninstaller.resources.dll"="6/6/2019 7:51 PM, 33280 bytes, A Adds the folder C:\Program Files (x86)\Shark PC Protector\uni\x64 Adds the file SQLite.Interop.dll"="4/19/2018 12:45 PM, 1534464 bytes, A Adds the folder C:\Program Files (x86)\Shark PC Protector\uni\x86 Adds the file SQLite.Interop.dll"="4/19/2018 12:45 PM, 1149440 bytes, A Adds the folder C:\Program Files (x86)\Shark PC Protector\x64 Adds the file SQLite.Interop.dll"="4/19/2018 12:45 PM, 1534464 bytes, A Adds the folder C:\Program Files (x86)\Shark PC Protector\x86 Adds the file SQLite.Interop.dll"="4/19/2018 12:45 PM, 1149440 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Shark PC Protector Adds the file Shark PC Protector.lnk"="8/5/2019 9:17 AM, 1231 bytes, A Adds the file Uninstall Shark PC Protector.lnk"="8/5/2019 9:17 AM, 1191 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Shark PC Protector\PC Repair Online\Backup Adds the folder C:\Users\{username}\AppData\Roaming\Shark PC Protector\PC Repair Online\setting Adds the file pbp_sett.ash"="8/5/2019 9:19 AM, 2043904 bytes, A In the existing folder C:\Users\{username}\Downloads Adds the file Trojan.Worm.361461.msh"="8/1/2019 1:21 PM, 259 bytes, A Adds the file Trojan.Worm.720266.msh"="8/1/2019 1:21 PM, 259 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file Shark PC Protector.lnk"="8/5/2019 9:17 AM, 1213 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Shark PC Protector"="8/5/2019 9:17 AM, 3252 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\FT\SPP\Activation] "Insdate"="REG_SZ", "0vk82II+kwASrHMk467xg06RZVH33BDSyywI+67hxko=" "language"="REG_SZ", "en" "languageindex"="REG_SZ", "0" "lap"="REG_SZ", "1qGZiOOFObHe4TpZYfRFLO1Z730z7GABrbVp9jOxcMo=" "lbp"="REG_SZ", "1qGZiOOFObHe4TpZYfRFLO1Z730z7GABrbVp9jOxcMo=" "lr"="REG_SZ", "2NQXF+b/h86YyDSWaGiUCTkIftjJWmJhQDtWYmdPLtw=" "lsp"="REG_SZ", "1qGZiOOFObHe4TpZYfRFLO1Z730z7GABrbVp9jOxcMo=" "PN"="REG_SZ", "+1(888)200-8889" "Program"="REG_SZ", "Shark PC Protector" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\FT\SPP\Activation] "IsTrack"="REG_SZ", "1" "language"="REG_SZ", "en" "languageindex"="REG_SZ", "0" "Program"="REG_SZ", "Shark PC Protector" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E6302A5A-54A4-4A53-9BE7-EA9AC128D298}}_is1] "Comments"="REG_SZ", "Shark PC Protector" "Contact"="REG_SZ", "0800-183-3940" "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\Shark PC Protector\logo.ico" "DisplayName"="REG_SZ", "Shark PC Protector" "DisplayVersion"="REG_SZ", "1.0" "EstimatedSize"="REG_DWORD", 13749 "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\Shark PC Protector" "Inno Setup: Icon Group"="REG_SZ", "Shark PC Protector" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.6 (a)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20190805" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\Shark PC Protector\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Econosoft Global Services Pte. Ltd." "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\Shark PC Protector\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\Shark PC Protector\unins000.exe"" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\COMServices] "DisplayName"="REG_SZ", "COMServices" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, "C:\Program Files (x86)\Shark PC Protector\svc//COMServices.exe" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Shark PC Protector"="REG_SZ", ""C:\Program Files (x86)\Shark PC Protector\ksb.bat"" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/5/19 Scan Time: 9:26 AM Log File: 60fc5026-b752-11e9-88c6-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.11862 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236500 Threats Detected: 70 Threats Quarantined: 70 Time Elapsed: 8 min, 29 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\sharkpcprotector.exe, Quarantined, [1514], [709339],1.0.11862 Module: 2 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\x64\SQLite.Interop.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\sharkpcprotector.exe, Quarantined, [1514], [709339],1.0.11862 Registry Key: 9 PUP.Optional.SharkPCProtector, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\SHARK PC PROTECTOR, Quarantined, [1514], [709341],1.0.11862 PUP.Optional.SharkPCProtector, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{94427936-D024-4D0E-8A85-3496931204CE}, Quarantined, [1514], [709341],1.0.11862 PUP.Optional.SharkPCProtector, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\BOOT\{94427936-D024-4D0E-8A85-3496931204CE}, Quarantined, [1514], [709341],1.0.11862 PUP.Optional.SharkPCProtector, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{E6302A5A-54A4-4A53-9BE7-EA9AC128D298}}_is1, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, HKLM\SOFTWARE\FT\SPP, Quarantined, [1514], [709343],1.0.11862 PUP.Optional.SharkPCProtector, HKLM\SOFTWARE\WOW6432NODE\FT\SPP, Quarantined, [1514], [709343],1.0.11862 PUP.Optional.SharkPCProtector, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\COMSERVICES, Quarantined, [1514], [709345],1.0.11862 PUP.Optional.SharkPCProtector, HKLM\SOFTWARE\MICROSOFT\TRACING\sharkpcprotector_RASAPI32, Quarantined, [1514], [709344],1.0.11862 PUP.Optional.SharkPCProtector, HKLM\SOFTWARE\MICROSOFT\TRACING\sharkpcprotector_RASMANCS, Quarantined, [1514], [709344],1.0.11862 Registry Value: 3 PUP.Optional.SharkPCProtector, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Shark PC Protector, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\COMSERVICES|IMAGEPATH, Quarantined, [1514], [709345],1.0.11862 PUP.Optional.SharkPCProtector, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{94427936-D024-4D0E-8A85-3496931204CE}|PATH, Quarantined, [1514], [709349],1.0.11862 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 17 PUP.Optional.SharkPCProtector, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SHARK PC PROTECTOR, Quarantined, [1514], [709340],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\uni\ja-jp, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\uni\x64, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\uni\x86, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\Backup, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\uni\en, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\ja-jp, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\uni, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\x64, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\x86, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\de, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\en, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\PROGRAM FILES (X86)\SHARK PC PROTECTOR, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Users\{username}\AppData\Roaming\Shark PC Protector\PC Repair Online\setting, Quarantined, [1514], [709336],1.0.11862 PUP.Optional.SharkPCProtector, C:\Users\{username}\AppData\Roaming\Shark PC Protector\PC Repair Online\Backup, Quarantined, [1514], [709336],1.0.11862 PUP.Optional.SharkPCProtector, C:\Users\{username}\AppData\Roaming\Shark PC Protector\PC Repair Online, Quarantined, [1514], [709336],1.0.11862 PUP.Optional.SharkPCProtector, C:\USERS\{username}\APPDATA\ROAMING\SHARK PC PROTECTOR, Quarantined, [1514], [709336],1.0.11862 File: 38 PUP.Optional.SharkPCProtector, C:\WINDOWS\SYSTEM32\TASKS\SHARK PC PROTECTOR, Quarantined, [1514], [709341],1.0.11862 PUP.Optional.SharkPCProtector, C:\USERS\PUBLIC\DESKTOP\SHARK PC PROTECTOR.LNK, Quarantined, [1514], [709337],1.0.11862 PUP.Optional.SharkPCProtector, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SHARK PC PROTECTOR\UNINSTALL SHARK PC PROTECTOR.LNK, Quarantined, [1514], [709340],1.0.11862 PUP.Optional.SharkPCProtector, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Shark PC Protector\Shark PC Protector.lnk, Quarantined, [1514], [709340],1.0.11862 PUP.Optional.SharkPCProtector, C:\PROGRAM FILES (X86)\SHARK PC PROTECTOR\UNINS000.MSG, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\de\sharkpcprotector.resources.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\en\sharkpcprotector.resources.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\ja-jp\sharkpcprotector.resources.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\uni\en\Uninstaller.resources.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\uni\ja-jp\Uninstaller.resources.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\uni\x64\SQLite.Interop.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\uni\x86\SQLite.Interop.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\uni\System.Data.SQLite.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\uni\System.Data.SQLite.xml, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\uni\Uninstaller.exe, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\x64\SQLite.Interop.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\x86\SQLite.Interop.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\Interop.NATUPNPLib.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\Interop.NETCONLib.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\Interop.NetFwTypeLib.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\Interop.Shell32.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\Interop.WUApiLib.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\ksb.bat, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\logo.ico, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\Microsoft.Win32.TaskScheduler.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\sharkpcprotector.exe, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\SharpCompress.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\System.Data.SQLite.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\System.Data.SQLite.xml, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\Sys_Trace.xml, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\unins000.dat, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\unins000.exe, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\WpfAnimatedGif.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Program Files (x86)\Shark PC Protector\WPFToolkit.dll, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\Shark PC Protector.lnk, Quarantined, [1514], [709339],1.0.11862 PUP.Optional.SharkPCProtector, C:\Users\{username}\AppData\Roaming\Shark PC Protector\PC Repair Online\setting\pbp_sett.ash, Quarantined, [1514], [709336],1.0.11862 PUP.Optional.PCBooster, C:\USERS\{username}\APPDATA\LOCAL\TEMP\IS-492UD.TMP\SHARKPCPROTECTOR.TMP, Quarantined, [566], [711523],1.0.11862 PUP.Optional.PCBooster, C:\USERS\{username}\DESKTOP\SHARKPCPROTECTOR.EXE, Quarantined, [566], [711523],1.0.11862 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  11. What is Full PC Care 2.0?The Malwarebytes research team has determined that Full PC Care 2.0 is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with Full PC Care 2.0?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see these warnings during install:and this screen during "operations":You may see this entry in your list of installed programs:and this task in your list of Scheduled Tasks:How did Full PC Care 2.0 get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove Full PC Care 2.0?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Full PC Care 2.0? No, Malwarebytes removes Full PC Care 2.0 completely. This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the Full PC Care 2.0 installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: (ADVANCED PC UTILITIES -> ) C:\Program Files\Full PC Care 2.0_{username}\rgcl.exe Task: {9DBDC30F-A49C-4580-8225-2D314A50D116} - System32\Tasks\Full PC Care 2.0_Logon => C:\Program Files\Full PC Care 2.0_{username}\rgcl.exe [1892888 2019-07-25] (ADVANCED PC UTILITIES -> ) C:\Windows\System32\Tasks\Full PC Care 2.0_Logon C:\Users\{username}\AppData\Roaming\Full PC Care 2.0_{username} C:\Users\Public\Desktop\Full PC Care 2.0.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Full PC Care 2.0_{username} C:\ProgramData\Full PC Care 2.0_{username} C:\Program Files\Full PC Care 2.0_{username} Full PC Care 2.0 (HKLM\...\{E2C70A85-8F78-4434-B5D7-3EB8102FB5ED}_is1) (Version: 1.0.0.0 - ) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\Full PC Care 2.0_{username} Adds the file application.ico"="7/25/2019 3:19 PM, 71683 bytes, A Adds the file danish_iss.ini"="5/29/2019 3:54 PM, 2402 bytes, A Adds the file HtmlRenderer.dll"="7/25/2019 6:10 PM, 235032 bytes, A Adds the file HtmlRenderer.WinForms.dll"="7/25/2019 6:10 PM, 73752 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="7/25/2019 6:10 PM, 62488 bytes, A Adds the file Interop.SHDocVw.dll"="7/25/2019 6:10 PM, 177176 bytes, A Adds the file langs.db"="6/24/2019 5:44 PM, 486400 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="7/25/2019 6:10 PM, 184344 bytes, A Adds the file NAudio.dll"="7/25/2019 6:10 PM, 484376 bytes, A Adds the file Newtonsoft.Json.dll"="7/25/2019 6:10 PM, 474136 bytes, A Adds the file rgcl.exe"="7/25/2019 6:10 PM, 1892888 bytes, A Adds the file rgcl.exe.config"="7/25/2019 6:10 PM, 4529 bytes, A Adds the file rpics.dll"="7/25/2019 6:10 PM, 808984 bytes, A Adds the file System.Data.SQLite.DLL"="7/25/2019 6:10 PM, 304152 bytes, A Adds the file TAFactory.IconPack.dll"="7/25/2019 6:10 PM, 50200 bytes, A Adds the file unins000.dat"="8/2/2019 8:37 AM, 75139 bytes, A Adds the file unins000.exe"="8/2/2019 8:37 AM, 1257496 bytes, A Adds the file unins000.msg"="8/2/2019 8:37 AM, 22701 bytes, A Adds the folder C:\Program Files\Full PC Care 2.0_{username}\x64 Adds the file SQLite.Interop.dll"="7/25/2019 6:10 PM, 1188888 bytes, A Adds the folder C:\Program Files\Full PC Care 2.0_{username}\x86 Adds the file SQLite.Interop.dll"="7/25/2019 6:10 PM, 867864 bytes, A Adds the folder C:\ProgramData\Full PC Care 2.0_{username} Adds the file mdb.db"="6/25/2019 6:28 PM, 6643712 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Full PC Care 2.0_{username} Adds the file Buy Full PC Care 2.0.lnk"="8/2/2019 8:37 AM, 948 bytes, A Adds the file Full PC Care 2.0.lnk"="8/2/2019 8:37 AM, 936 bytes, A Adds the file Uninstall Full PC Care 2.0.lnk"="8/2/2019 8:37 AM, 960 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Full PC Care 2.0_{username} Adds the file aptnotfr.xml"="8/2/2019 8:38 AM, 7487 bytes, A Adds the file Errorlog.txt"="8/2/2019 8:41 AM, 20806 bytes, A Adds the file exlist.bin"="8/2/2019 8:38 AM, 257907 bytes, A Adds the file res.xml"="8/2/2019 8:41 AM, 14653 bytes, A Adds the file upt.xml"="8/2/2019 8:38 AM, 19508 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Full PC Care 2.0_{username}\smico In the existing folder C:\Users\Public\Desktop Adds the file Full PC Care 2.0.lnk"="8/2/2019 8:37 AM, 918 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Full PC Care 2.0_Logon"="8/2/2019 8:38 AM, 3062 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Full PC Care 2.0_{username}] "affired"="REG_DWORD", 1 "afterInstallUrl"="REG_SZ", "http://ins.fullpccare.co/install/fpc/?" "apst"="REG_DWORD", 0 "cbkpoff"="REG_DWORD", 1 "country"="REG_SZ", "us" "cta"="REG_DWORD", 0 "delayfront"="REG_DWORD", 0 "delaytime"="REG_DWORD", 0 "dlllist"="REG_SZ", "PSMACHINE_64.DLL,MSSPELLCHECKINGFACILITY.DLL" "EmailURL"="REG_SZ", "" "expired"="REG_DWORD", 0 "hdata"="REG_BINARY, ....................................................................... "Installstring"="REG_SZ", "C:\Program Files\Full PC Care 2.0_{username}" "ipaddrurl"="REG_SZ", "http://ins.fullpccare.co/getip/" "isavst"="REG_DWORD", 0 "isiunidu"="REG_DWORD", 0 "isprmjsn"="REG_DWORD", 0 "isshowng"="REG_DWORD", 1 "issilent"="REG_DWORD", 0 "ISTELNO"="REG_DWORD", 0 "LangCode"="REG_SZ", "en" "lstregscancount"="REG_DWORD", 37 "lstscandate"="REG_SZ", "8/2/2019 8:41:30 AM" "lstscanstat"="REG_DWORD", 2 "lstsecscancount"="REG_DWORD", 0 "lsttotalscancount"="REG_DWORD", 37 "ovoffdis"="REG_DWORD", 0 "paramurl"="REG_SZ", "http://trkr.xscactiv.com/ipfiles/" "pdtm"="REG_DWORD", 30 "playsound"="REG_DWORD", 1 "prereg"="REG_DWORD", 0 "PurchaseURL"="REG_SZ", "http://www.syscarestore.com/fpc/price?" "reg"="REG_DWORD", 0 "RenewURL"="REG_SZ", "http://www.syscarestore.com/fpc/renewal?" "runcam"="REG_DWORD", 1 "runpixel"="REG_DWORD", 1 "runsrc"="REG_DWORD", 1 "showtn"="REG_DWORD", 0 "showunins"="REG_DWORD", 0 "showwfo"="REG_DWORD", 0 "stdismax"="REG_DWORD", -1 "supporturl"="REG_SZ", "http://www.fullpccare.co/help/" "TELNO"="REG_SZ", "855-446-9808" "TELNO_ar"="REG_SZ", "" "TELNO_at"="REG_SZ", "" "TELNO_au"="REG_SZ", "" "TELNO_be"="REG_SZ", "" "TELNO_br"="REG_SZ", "" "TELNO_ca"="REG_SZ", "855-446-9808" "TELNO_ch"="REG_SZ", "" "TELNO_de"="REG_SZ", "" "TELNO_dk"="REG_SZ", "" "TELNO_es"="REG_SZ", "" "TELNO_fi"="REG_SZ", "" "TELNO_fr"="REG_SZ", "" "TELNO_gb"="REG_SZ", "" "TELNO_it"="REG_SZ", "" "TELNO_ja"="REG_SZ", "" "TELNO_lu"="REG_SZ", "" "TELNO_nl"="REG_SZ", "" "TELNO_no"="REG_SZ", "" "TELNO_pt"="REG_SZ", "" "TELNO_se"="REG_SZ", "" "TELNO_uk"="REG_SZ", "" "TELNO_us"="REG_SZ", "855-446-9808" "WebURL"="REG_SZ", "http://www.fullpccare.co/" "wfoset"="REG_DWORD", 1 "x-ccode"="REG_SZ", "us" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "{user-IP}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E2C70A85-8F78-4434-B5D7-3EB8102FB5ED}_is1] "DisplayIcon"="REG_SZ", "C:\Program Files\Full PC Care 2.0_{username}\rgcl.exe" "DisplayName"="REG_SZ", "Full PC Care 2.0" "DisplayVersion"="REG_SZ", "1.0.0.0" "EstimatedSize"="REG_DWORD", 15731 "Inno Setup: App Path"="REG_SZ", "C:\Program Files\Full PC Care 2.0_{username}" "Inno Setup: Icon Group"="REG_SZ", "Full PC Care 2.0_{username}" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.8 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20190802" "InstallLocation"="REG_SZ", "C:\Program Files\Full PC Care 2.0_{username}\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "QuietUninstallString"="REG_SZ", ""C:\Program Files\Full PC Care 2.0_{username}\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files\Full PC Care 2.0_{username}\unins000.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\RnVsbCBQQyBDYXJlIDIuMA==\ACT] "data"="REG_BINARY, ................................................................................. [HKEY_LOCAL_MACHINE\SOFTWARE\xsc-pr] "btnid"="REG_SZ", "" "country"="REG_SZ", "us" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "pxl"="REG_SZ", "" "referUrl"="REG_SZ", "" "TELNO"="REG_SZ", "" "utm_campaign"="REG_SZ", "" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "" "utm_source"="REG_SZ", "" "x-at"="REG_SZ", "" "x-context"="REG_SZ", "" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_CURRENT_USER\Software\Full PC Care 2.0_{username}] "affiliateid"="REG_SZ", "" "InstallString"="REG_SZ", "C:\Program Files\Full PC Care 2.0_{username}" "LangCode"="REG_SZ", "en" "utm_medium"="REG_SZ", "" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "89_187_177_131" [HKEY_CURRENT_USER\Software\Full PC Care 2.0_{username}\1.0.0.0] "Installstring"="REG_SZ", "C:\Program Files\Full PC Care 2.0_{username}" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/2/19 Scan Time: 8:50 AM Log File: c7ae2e2f-b4f1-11e9-b266-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.11822 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236670 Threats Detected: 71 Threats Quarantined: 71 Time Elapsed: 6 min, 56 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\rgcl.exe, Quarantined, [468], [714767],1.0.11822 Module: 6 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\x64\SQLite.Interop.dll, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\Interop.IWshRuntimeLibrary.dll, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\rgcl.exe, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\System.Data.SQLite.DLL, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\TAFactory.IconPack.dll, Quarantined, [468], [714767],1.0.11822 Registry Key: 8 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Full PC Care 2.0_Logon, Quarantined, [468], [714768],1.0.11822 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{9DBDC30F-A49C-4580-8225-2D314A50D116}, Quarantined, [468], [714768],1.0.11822 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{9DBDC30F-A49C-4580-8225-2D314A50D116}, Quarantined, [468], [714768],1.0.11822 PUP.Optional.PCVARK, HKCU\SOFTWARE\Full PC Care 2.0_{username}, Quarantined, [468], [714769],1.0.11822 PUP.Optional.PCVARK, HKLM\SOFTWARE\XSC-PR, Quarantined, [468], [698879],1.0.11822 PUP.Optional.PCVARK, HKLM\SOFTWARE\Full PC Care 2.0_{username}, Quarantined, [468], [714772],1.0.11822 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{E2C70A85-8F78-4434-B5D7-3EB8102FB5ED}_is1, Quarantined, [468], [714761],1.0.11822 PUP.Optional.PCVARK, HKLM\SOFTWARE\RnVsbCBQQyBDYXJlIDIuMA==, Quarantined, [468], [714773],1.0.11822 Registry Value: 4 PUP.Optional.PCVARK, HKCU\SOFTWARE\Full PC Care 2.0_{username}|AFFILIATEID, Quarantined, [468], [714769],1.0.11822 PUP.Optional.PCVARK, HKLM\SOFTWARE\XSC-PR|UTM_CAMPAIGN, Quarantined, [468], [698879],1.0.11822 PUP.Optional.PCVARK, HKLM\SOFTWARE\Full PC Care 2.0_{username}|AFFIRED, Quarantined, [468], [714772],1.0.11822 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{9DBDC30F-A49C-4580-8225-2D314A50D116}|PATH, Quarantined, [468], [714766],1.0.11822 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Full PC Care 2.0_{username}\smico, Quarantined, [468], [714762],1.0.11822 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\Full PC Care 2.0_{username}, Quarantined, [468], [714762],1.0.11822 PUP.Optional.PCVARK, C:\PROGRAMDATA\Full PC Care 2.0_{username}, Quarantined, [468], [714764],1.0.11822 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\Full PC Care 2.0_{username}, Quarantined, [468], [714765],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\x64, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\x86, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\PROGRAM FILES\Full PC Care 2.0_{username}, Quarantined, [468], [714767],1.0.11822 File: 45 PUP.Optional.PCVARK, C:\WINDOWS\SYSTEM32\TASKS\Full PC Care 2.0_Logon, Quarantined, [468], [714768],1.0.11822 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\Full PC Care 2.0_{username}\Errorlog.txt, Quarantined, [468], [714762],1.0.11822 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Full PC Care 2.0_{username}\aptnotfr.xml, Quarantined, [468], [714762],1.0.11822 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Full PC Care 2.0_{username}\exlist.bin, Quarantined, [468], [714762],1.0.11822 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Full PC Care 2.0_{username}\res.xml, Quarantined, [468], [714762],1.0.11822 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Full PC Care 2.0_{username}\upt.xml, Quarantined, [468], [714762],1.0.11822 PUP.Optional.PCVARK, C:\USERS\PUBLIC\DESKTOP\Full PC Care 2.0.lnk, Quarantined, [468], [714760],1.0.11822 PUP.Optional.PCVARK, C:\PROGRAMDATA\Full PC Care 2.0_{username}\mdb.db, Quarantined, [468], [714764],1.0.11822 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\Full PC Care 2.0_{username}\Buy Full PC Care 2.0.lnk, Quarantined, [468], [714765],1.0.11822 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Full PC Care 2.0_{username}\Full PC Care 2.0.lnk, Quarantined, [468], [714765],1.0.11822 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Full PC Care 2.0_{username}\Uninstall Full PC Care 2.0.lnk, Quarantined, [468], [714765],1.0.11822 PUP.Optional.PCVARK, C:\PROGRAM FILES\Full PC Care 2.0_{username}\unins000.dat, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\x64\SQLite.Interop.dll, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\x86\SQLite.Interop.dll, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\langs.db, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\application.ico, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\danish_iss.ini, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\Dutch_iss.ini, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\english_iss.ini, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\finish_iss.ini, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\French_iss.ini, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\german_iss.ini, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\HtmlRenderer.dll, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\HtmlRenderer.WinForms.dll, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\Interop.IWshRuntimeLibrary.dll, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\Interop.SHDocVw.dll, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\italian_iss.ini, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\japanese_iss.ini, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\NAudio.dll, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\Newtonsoft.Json.dll, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\norwegian_iss.ini, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\portuguese_iss.ini, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\rgcl.exe, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\rgcl.exe.config, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\rpics.dll, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\russian_iss.ini, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\spanish_iss.ini, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\swedish_iss.ini, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\System.Data.SQLite.DLL, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\TAFactory.IconPack.dll, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\unins000.exe, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\Program Files\Full PC Care 2.0_{username}\unins000.msg, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\Full PC Care 2.0.lnk, Quarantined, [468], [714767],1.0.11822 PUP.Optional.PCVARK, C:\USERS\{username}\DESKTOP\FULL PC CARE 2.0.EXE, Quarantined, [468], [649610],1.0.11822 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  12. What is Tres?The Malwarebytes research team has determined that Tres is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Tres?You may see this entry in your list of installed Chrome extensions:and these warnings during install:Despite this warning the install was successfulHow did Tres get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Tres?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Tres? No, Malwarebytes removes Tres completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Tres hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR Extension: (Tres) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjoigjeckcllkadljiceicgimdjnmhmh [2019-07-31] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjoigjeckcllkadljiceicgimdjnmhmh\5.7_0 Adds the file background.js"="7/17/2019 4:19 AM, 7742 bytes, A Adds the file manifest.json"="7/31/2019 2:01 PM, 7311 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjoigjeckcllkadljiceicgimdjnmhmh\5.7_0\_metadata Adds the file computed_hashes.json"="7/31/2019 2:01 PM, 404 bytes, A Adds the file verified_contents.json"="7/29/2019 11:18 PM, 1645 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjoigjeckcllkadljiceicgimdjnmhmh\5.7_0\icons Adds the file icon128.png"="7/31/2019 2:01 PM, 2188 bytes, A Adds the file icon48.png"="7/31/2019 2:01 PM, 253 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bjoigjeckcllkadljiceicgimdjnmhmh Adds the file 000003.log"="7/31/2019 2:03 PM, 128 bytes, A Adds the file CURRENT"="7/31/2019 2:01 PM, 16 bytes, A Adds the file LOCK"="7/31/2019 2:01 PM, 0 bytes, A Adds the file LOG"="7/31/2019 2:01 PM, 184 bytes, A Adds the file MANIFEST-000001"="7/31/2019 2:01 PM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_bjoigjeckcllkadljiceicgimdjnmhmh Adds the file Tres.ico"="7/31/2019 2:01 PM, 162813 bytes, A Adds the file Tres.ico.md5"="7/31/2019 2:01 PM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "bjoigjeckcllkadljiceicgimdjnmhmh"="REG_SZ", "CA3655C0633625007946C318338C9195471815F032F970E2CDE538A0F1443647" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 7/31/19 Scan Time: 2:11 PM Log File: 634c5ffc-b38c-11e9-8b91-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.11789 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236483 Threats Detected: 19 Threats Quarantined: 19 Time Elapsed: 8 min, 50 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.QXSearch, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|bjoigjeckcllkadljiceicgimdjnmhmh, Quarantined, [351], [676735],1.0.11789 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 5 PUP.Optional.QXSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\bjoigjeckcllkadljiceicgimdjnmhmh, Quarantined, [351], [676735],1.0.11789 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjoigjeckcllkadljiceicgimdjnmhmh\5.7_0\_metadata, Quarantined, [351], [676735],1.0.11789 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjoigjeckcllkadljiceicgimdjnmhmh\5.7_0\icons, Quarantined, [351], [676735],1.0.11789 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjoigjeckcllkadljiceicgimdjnmhmh\5.7_0, Quarantined, [351], [676735],1.0.11789 PUP.Optional.QXSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BJOIGJECKCLLKADLJICEICGIMDJNMHMH, Quarantined, [351], [676735],1.0.11789 File: 13 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bjoigjeckcllkadljiceicgimdjnmhmh\000003.log, Quarantined, [351], [676735],1.0.11789 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bjoigjeckcllkadljiceicgimdjnmhmh\CURRENT, Quarantined, [351], [676735],1.0.11789 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bjoigjeckcllkadljiceicgimdjnmhmh\LOCK, Quarantined, [351], [676735],1.0.11789 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bjoigjeckcllkadljiceicgimdjnmhmh\LOG, Quarantined, [351], [676735],1.0.11789 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bjoigjeckcllkadljiceicgimdjnmhmh\MANIFEST-000001, Quarantined, [351], [676735],1.0.11789 PUP.Optional.QXSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [351], [676735],1.0.11789 PUP.Optional.QXSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [351], [676735],1.0.11789 PUP.Optional.QXSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BJOIGJECKCLLKADLJICEICGIMDJNMHMH\5.7_0\MANIFEST.JSON, Quarantined, [351], [676735],1.0.11789 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjoigjeckcllkadljiceicgimdjnmhmh\5.7_0\icons\icon128.png, Quarantined, [351], [676735],1.0.11789 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjoigjeckcllkadljiceicgimdjnmhmh\5.7_0\icons\icon48.png, Quarantined, [351], [676735],1.0.11789 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjoigjeckcllkadljiceicgimdjnmhmh\5.7_0\_metadata\computed_hashes.json, Quarantined, [351], [676735],1.0.11789 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjoigjeckcllkadljiceicgimdjnmhmh\5.7_0\_metadata\verified_contents.json, Quarantined, [351], [676735],1.0.11789 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bjoigjeckcllkadljiceicgimdjnmhmh\5.7_0\background.js, Quarantined, [351], [676735],1.0.11789 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  13. What is MS Total Security?The Malwarebytes research team has determined that MS Total Security is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with MS Total Security?This is how the main screen of the system optimizer looks:you may see these icons on your desktop and in your taskbar:and you may see this warning during install:and these screens during "operations":You may see these entries in your list of installed programs:How did MS Total Security get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove MS Total Security?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of MS Total Security? No, Malwarebytes removes MS Total Security completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the MS Total Security installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for expertsYou may see these entries in FRST logs: (MS SOFT SOLUTIONS LTD) [File not signed] C:\Program Files\MS SOFT SOLUTIONS LTD\MS Total Security\MSTS.exe HKLM\...\Run: [MSTS] => C:\Program Files\MS SOFT SOLUTIONS LTD\MS Total Security\MSTS.exe [2034688 2018-02-03] (MS SOFT SOLUTIONS LTD) [File not signed] HKLM\...\Run: [iGKlP] => C:\Program Files\Hewlett-Packard\iGKlPSetup\iGKlP.exe [37888 2017-11-10] (Hewlett-Packard) [File not signed] C:\Program Files\Hewlett-Packard C:\Users\{username} Analyst\Desktop\MS Total Security.lnk C:\Users\{username} Analyst\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MS Total Security.lnk C:\Program Files\MS SOFT SOLUTIONS LTD iGKlPSetup (HKLM\...\{63EA1C6B-895D-43AE-BC17-20809BF1D0B8}) (Version: 1.0.0 - Hewlett-Packard) MS Total Security (HKLM\...\{DDB1355A-8EC8-40A3-9BF0-E93AAF7D9FF2}) (Version: 1.0.0 - MS SOFT SOLUTIONS LTD) Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 7/31/19 Scan Time: 3:17 AM Log File: 57dc4f52-b37c-11e9-b270-080027b43158.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.11789 License: Free -System Information- OS: Windows 8.1 CPU: x86 File System: NTFS User: MalwareAnalysis\{username} Analyst -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 174594 Threats Detected: 28 Threats Quarantined: 28 Time Elapsed: 7 min, 49 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 3 PUP.Optional.MSTotalSecurity, HKLM\SOFTWARE\MSTS\INSTALLED, Quarantined, [3044], [711723],1.0.11789 PUP.Optional.MSTotalSecurity, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{63EA1C6B-895D-43AE-BC17-20809BF1D0B8}, Quarantined, [3044], [713250],1.0.11789 PUP.Optional.MSTotalSecurity, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{DDB1355A-8EC8-40A3-9BF0-E93AAF7D9FF2}, Quarantined, [3044], [712622],1.0.11789 Registry Value: 5 PUP.Optional.MSTotalSecurity, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|IGKLP, Quarantined, [3044], [712608],1.0.11789 PUP.Optional.MSTotalSecurity, HKLM\SOFTWARE\MSTS\INSTALLED|PATH, Quarantined, [3044], [711723],1.0.11789 PUP.Optional.MSTotalSecurity, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|MSTS, Quarantined, [3044], [712604],1.0.11789 PUP.Optional.MSTotalSecurity, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{63EA1C6B-895D-43AE-BC17-20809BF1D0B8}|DISPLAYNAME, Quarantined, [3044], [713250],1.0.11789 PUP.Optional.MSTotalSecurity, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{DDB1355A-8EC8-40A3-9BF0-E93AAF7D9FF2}|DISPLAYNAME, Quarantined, [3044], [712622],1.0.11789 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.MSTotalSecurity, C:\PROGRAM FILES\MS SOFT SOLUTIONS LTD\MS TOTAL SECURITY, Quarantined, [3044], [712604],1.0.11789 PUP.Optional.MSTotalSecurity, C:\PROGRAM FILES\HEWLETT-PACKARD\IGKLPSETUP, Quarantined, [3044], [712605],1.0.11789 File: 16 PUP.Optional.MSTotalSecurity, C:\USERS\{username} ANALYST\DESKTOP\MS TOTAL SECURITY.LNK, Quarantined, [3044], [711721],1.0.11789 PUP.Optional.MSTotalSecurity, C:\USERS\{username} ANALYST\DESKTOP\MSTSSETUP.MSI, Quarantined, [3044], [711722],1.0.11789 PUP.Optional.MSTotalSecurity, C:\USERS\{username} ANALYST\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MS TOTAL SECURITY.LNK, Quarantined, [3044], [711720],1.0.11789 PUP.Optional.MSTotalSecurity, C:\PROGRAM FILES\HEWLETT-PACKARD\IGKLPSETUP\IGKLP.EXE, Quarantined, [3044], [712608],1.0.11789 PUP.Optional.MSTotalSecurity, C:\Program Files\MS SOFT SOLUTIONS LTD\MS Total Security\favico.ico, Quarantined, [3044], [712604],1.0.11789 PUP.Optional.MSTotalSecurity, C:\Program Files\MS SOFT SOLUTIONS LTD\MS Total Security\iGKlPSetup.exe, Quarantined, [3044], [712604],1.0.11789 PUP.Optional.MSTotalSecurity, C:\Program Files\MS SOFT SOLUTIONS LTD\MS Total Security\iGKlPSetup.msi, Quarantined, [3044], [712604],1.0.11789 PUP.Optional.MSTotalSecurity, C:\Program Files\MS SOFT SOLUTIONS LTD\MS Total Security\MSTS.exe, Quarantined, [3044], [712604],1.0.11789 PUP.Optional.MSTotalSecurity, C:\Program Files\MS SOFT SOLUTIONS LTD\MS Total Security\MSTS.exe.config, Quarantined, [3044], [712604],1.0.11789 PUP.Optional.MSTotalSecurity, C:\Program Files\MS SOFT SOLUTIONS LTD\MS Total Security\MSTS.InstallState, Quarantined, [3044], [712604],1.0.11789 PUP.Optional.MSTotalSecurity, C:\Program Files\MS SOFT SOLUTIONS LTD\MS Total Security\MySql.Data.dll, Quarantined, [3044], [712604],1.0.11789 PUP.Optional.MSTotalSecurity, C:\Program Files\MS SOFT SOLUTIONS LTD\MS Total Security\setup.exe, Quarantined, [3044], [712604],1.0.11789 PUP.Optional.MSTotalSecurity, C:\Program Files\Hewlett-Packard\iGKlPSetup\iGKlP.exe.config, Quarantined, [3044], [712605],1.0.11789 PUP.Optional.MSTotalSecurity, C:\Program Files\Hewlett-Packard\iGKlPSetup\iGKlP.InstallState, Quarantined, [3044], [712605],1.0.11789 PUP.Optional.MSTotalSecurity, C:\Program Files\Hewlett-Packard\iGKlPSetup\MySql.Data.dll, Quarantined, [3044], [712605],1.0.11789 PUP.Optional.MSTotalSecurity, C:\USERS\{username} ANALYST\DESKTOP\MSTS.EXE, Quarantined, [3044], [711725],1.0.11789 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  14. What is MyFunCards?The Malwarebytes research team has determined that MyFunCards is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.MyFunCards is a member of the Mindspark/Ask family now known as IAC Applications.How do I know if my computer is affected by MyFunCards?You may see these browser extensions/add-ons:these warnings during install:You may see this entry in your list of installed software:this icon in the menu-bar of some of the affected browsers:and this new homepage in the affected browsers:How did MyFunCards get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website.How do I remove MyFunCards?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of MyFunCards? No, Malwarebytes' Anti-Malware removes MyFunCards completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the MyFunCards hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains.Technical details for expertsPossible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/myfuncards/ttab02/index.html?n={n}&p2={ttab}&ptb={ptb}&coid={coid} FF HomepageOverride: Mozilla\Firefox\Profiles\{profile}.default -> Enabled: _5mMembers_@download.myfuncards.com FF NewTabOverride: Mozilla\Firefox\Profiles\{profile}.default -> Enabled: _5mMembers_@download.myfuncards.com FF Extension: (MyFunCards) - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_5mMembers_@download.myfuncards.com.xpi [2019-07-29] [UpdateUrl:hxxps:\/\/updates.tb.ask.com\/updateXpi.json?id=27560036&version=8.914.15.58874&track=TTAB02&trackRevision=1&fromId=_5mMembers_%40download.myfuncards.com&isBridgeExtension=false] CHR NewTab: Default -> Active:"chrome-extension://jkbnhlhcdndaamafgbelomapajcnjpde/ntp.html" CHR Extension: (MyFunCards) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde [2019-07-29] C:\Users\{username}\AppData\Local\MyFunCardsTooltab MyFunCards Internet Explorer Homepage and New Tab (HKCU\...\MyFunCardsTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0 Adds the file manifest.json"="7/29/2019 5:29 PM, 2616 bytes, A Adds the file ntp.html"="6/6/2019 6:22 PM, 1423 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\_locales\en Adds the file messages.json"="7/29/2019 5:29 PM, 257 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\_metadata Adds the file computed_hashes.json"="7/29/2019 5:29 PM, 5503 bytes, A Adds the file verified_contents.json"="6/6/2019 6:22 PM, 5999 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\config Adds the file config.json"="6/6/2019 6:22 PM, 1467 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\icons Adds the file icon128.png"="7/29/2019 5:29 PM, 9225 bytes, A Adds the file icon16.png"="6/6/2019 6:22 PM, 1575 bytes, A Adds the file icon19disabled.png"="6/6/2019 6:22 PM, 1585 bytes, A Adds the file icon19on.png"="7/29/2019 5:29 PM, 794 bytes, A Adds the file icon48.png"="7/29/2019 5:29 PM, 2825 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\js Adds the file ajax.js"="6/6/2019 6:22 PM, 3263 bytes, A Adds the file babAPI.js"="6/6/2019 6:22 PM, 5703 bytes, A Adds the file babClickHandler.js"="6/6/2019 6:22 PM, 11430 bytes, A Adds the file babContentScript.js"="6/6/2019 6:22 PM, 3749 bytes, A Adds the file babContentScriptAPI.js"="6/6/2019 6:22 PM, 9842 bytes, A Adds the file background.js"="6/6/2019 6:22 PM, 18011 bytes, A Adds the file browserUtils.js"="6/6/2019 6:22 PM, 1536 bytes, A Adds the file chrome.js"="6/6/2019 6:22 PM, 146 bytes, A Adds the file contentScriptConnectionManager.js"="6/6/2019 6:22 PM, 22629 bytes, A Adds the file dateTimeUtils.js"="6/6/2019 6:22 PM, 1213 bytes, A Adds the file dlp.js"="6/6/2019 6:22 PM, 5783 bytes, A Adds the file dlpHelper.js"="6/6/2019 6:22 PM, 1835 bytes, A Adds the file extensionDetect.js"="6/6/2019 6:22 PM, 4354 bytes, A Adds the file index.js"="6/6/2019 6:22 PM, 49 bytes, A Adds the file localStorageContentScript.js"="6/6/2019 6:22 PM, 2236 bytes, A Adds the file logger.js"="6/6/2019 6:22 PM, 531 bytes, A Adds the file meta.js"="6/6/2019 6:22 PM, 1631 bytes, A Adds the file offerService.js"="6/6/2019 6:22 PM, 16953 bytes, A Adds the file pageUtils.js"="6/6/2019 6:22 PM, 3154 bytes, A Adds the file PartnerId.js"="6/6/2019 6:22 PM, 16402 bytes, A Adds the file polyfill.js"="6/6/2019 6:22 PM, 875 bytes, A Adds the file product.js"="6/6/2019 6:22 PM, 7837 bytes, A Adds the file remoteConfigLoader.js"="6/6/2019 6:22 PM, 5053 bytes, A Adds the file splashPageRedirectHandler.js"="6/6/2019 6:22 PM, 2821 bytes, A Adds the file storageUtils.js"="6/6/2019 6:22 PM, 1718 bytes, A Adds the file TemplateParser.js"="6/6/2019 6:22 PM, 3153 bytes, A Adds the file ul.js"="6/6/2019 6:22 PM, 3969 bytes, A Adds the file urlFragmentActions.js"="6/6/2019 6:22 PM, 2450 bytes, A Adds the file urlUtils.js"="6/6/2019 6:22 PM, 5906 bytes, A Adds the file util.js"="6/6/2019 6:22 PM, 2779 bytes, A Adds the file webtooltabAPI.js"="6/6/2019 6:22 PM, 9768 bytes, A Adds the file webTooltabAPIProxy.js"="6/6/2019 6:22 PM, 8765 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jkbnhlhcdndaamafgbelomapajcnjpde Adds the file 000003.log"="7/29/2019 5:34 PM, 5371 bytes, A Adds the file CURRENT"="7/29/2019 5:29 PM, 16 bytes, A Adds the file LOCK"="7/29/2019 5:29 PM, 0 bytes, A Adds the file LOG"="7/29/2019 5:34 PM, 412 bytes, A Adds the file LOG.old"="7/29/2019 5:29 PM, 185 bytes, A Adds the file MANIFEST-000001"="7/29/2019 5:29 PM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\MyFunCardsTooltab Adds the file TooltabExtension.dll"="3/5/2019 10:46 PM, 273008 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _5mMembers_@download.myfuncards.com.xpi"="7/29/2019 5:32 PM, 85562 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "jkbnhlhcdndaamafgbelomapajcnjpde"="REG_SZ", "02CFD39D2570DF51D1B39FACB9384911C4A987AD0009F7C779EC35032E537584" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://hp.myway.com/myfuncards/ttab02/index.html?n={n}&p2=^ZU^mni000^TTAB02&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\MyFunCardsTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "MyFunCards Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\MyFunCardsTooltab\TooltabExtension.dll" U uninstall:MyFunCards" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" [HKEY_CURRENT_USER\Software\MyFunCards] "Start Page"="REG_SZ", "http://hp.myway.com/myfuncards/ttab02/index.html?n={n}&p2={ttab}&ptb={ptb}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "https://@{downloadDomain}.dl.myway.com/uninstall.jhtml?c={ptb}&ptb={ttab}" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 7/29/19 Scan Time: 5:45 PM Log File: da0f4cb0-b217-11e9-bba6-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.613 Update Package Version: 1.0.11770 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236570 Threats Detected: 71 Threats Quarantined: 71 Time Elapsed: 7 min, 21 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\MyFunCardsTooltab\TooltabExtension.dll, Quarantined, [1765], [356944],1.0.11770 Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\MyFunCardsTooltab Uninstall Internet Explorer, Quarantined, [1765], [356944],1.0.11770 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MyFunCards, Quarantined, [1765], [444113],1.0.11770 Registry Value: 3 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\MyFunCardsTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, [638], [352442],1.0.11770 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MyFunCards|START PAGE, Quarantined, [1765], [444113],1.0.11770 PUP.Optional.MindSpark, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|jkbnhlhcdndaamafgbelomapajcnjpde, Quarantined, [638], [389390],1.0.11770 Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [638], [293497],1.0.11770 Data Stream: 0 (No malicious items detected) Folder: 10 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\MyFunCardsTooltab, Quarantined, [1765], [356944],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\_locales\en, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\_metadata, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\_locales, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\config, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\icons, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\js, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\LOCAL EXTENSION SETTINGS\JKBNHLHCDNDAAMAFGBELOMAPAJCNJPDE, Quarantined, [638], [389390],1.0.11770 File: 54 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\MyFunCardsTooltab\TooltabExtension.dll, Quarantined, [1765], [356944],1.0.11770 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\_5mMembers_@download.myfuncards.com.xpi, Quarantined, [1765], [457930],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jkbnhlhcdndaamafgbelomapajcnjpde\000003.log, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jkbnhlhcdndaamafgbelomapajcnjpde\CURRENT, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jkbnhlhcdndaamafgbelomapajcnjpde\LOCK, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jkbnhlhcdndaamafgbelomapajcnjpde\LOG, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jkbnhlhcdndaamafgbelomapajcnjpde\LOG.old, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jkbnhlhcdndaamafgbelomapajcnjpde\MANIFEST-000001, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\config\config.json, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\icons\icon128.png, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\icons\icon16.png, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\icons\icon19disabled.png, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\icons\icon19on.png, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\icons\icon48.png, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\js\localStorageContentScript.js, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\js\ajax.js, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\js\babAPI.js, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\js\babClickHandler.js, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\js\babContentScript.js, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\js\babContentScriptAPI.js, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\js\background.js, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\js\browserUtils.js, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\js\chrome.js, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\js\contentScriptConnectionManager.js, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\js\dateTimeUtils.js, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\js\dlp.js, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\js\dlpHelper.js, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\js\extensionDetect.js, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\js\index.js, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\js\logger.js, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\js\meta.js, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\js\offerService.js, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\js\pageUtils.js, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\js\PartnerId.js, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\js\polyfill.js, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\js\product.js, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\js\remoteConfigLoader.js, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\js\splashPageRedirectHandler.js, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\js\storageUtils.js, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\js\TemplateParser.js, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\js\ul.js, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\js\urlFragmentActions.js, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\js\urlUtils.js, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\js\util.js, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\js\webtooltabAPI.js, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\js\webTooltabAPIProxy.js, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\_locales\en\messages.json, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\_metadata\computed_hashes.json, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\_metadata\verified_contents.json, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\manifest.json, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkbnhlhcdndaamafgbelomapajcnjpde\13.882.15.38182_0\ntp.html, Quarantined, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [638], [389390],1.0.11770 PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\MYFUNCARDS.EXE, Quarantined, [638], [365288],1.0.11770 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  15. What is PC Speeder Pro?The Malwarebytes research team has determined that PC Speeder Pro is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with PC Speeder Pro?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see these warnings during install:and this type of screens during "operations":You may see this entry in your list of installed programs:and this task in your list of Scheduled Tasks:How did PC Speeder Pro get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove PC Speeder Pro?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of PC Speeder Pro? No, Malwarebytes removes PC Speeder Pro completely. This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the PC Speeder Pro installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for expertsYou may see these entries in FRST logs: (Econosoft Global Services PTE. LTD. -> Econosoft Global Services Pte. Ltd.) C:\Program Files (x86)\PC Speeder Pro\pcspeederpro.exe Task: {2E1B7583-29FF-47EA-9B8F-82D5AFE98E8F} - System32\Tasks\PC Speeder Pro => C:\Program Files (x86)\PC Speeder Pro\pcspeederpro.exe [2760496 2019-07-03] (Econosoft Global Services PTE. LTD. -> Econosoft Global Services Pte. Ltd.) C:\Windows\System32\Tasks\PC Speeder Pro C:\Users\Public\Desktop\PC Speeder Pro.lnk C:\Users\{username}\AppData\Roaming\PC Speeder Pro C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Speeder Pro C:\Program Files (x86)\PC Speeder Pro PC Speeder Pro (HKLM-x32\...\{C111065E-6304-4ECE-8716-E8FBF449871E}}_is1) (Version: 1.0 - Econosoft Global Services Pte. Ltd.) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\PC Speeder Pro Adds the file Interop.NATUPNPLib.dll"="4/19/2018 12:25 PM, 7168 bytes, A Adds the file Interop.NETCONLib.dll"="4/19/2018 12:25 PM, 9728 bytes, A Adds the file Interop.NetFwTypeLib.dll"="4/19/2018 12:25 PM, 19456 bytes, A Adds the file Interop.Shell32.dll"="4/19/2018 12:25 PM, 36864 bytes, A Adds the file Interop.WUApiLib.dll"="4/19/2018 12:25 PM, 73728 bytes, A Adds the file logo.ico"="7/1/2019 4:15 PM, 21662 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="4/19/2018 12:31 PM, 171008 bytes, A Adds the file pcspeederpro.exe"="7/3/2019 1:16 PM, 2760496 bytes, A Adds the file SharpCompress.dll"="4/19/2018 12:35 PM, 418304 bytes, A Adds the file Sys_Trace.xml"="4/19/2018 12:45 PM, 46 bytes, A Adds the file System.Data.SQLite.dll"="4/19/2018 12:45 PM, 353280 bytes, A Adds the file System.Data.SQLite.xml"="4/19/2018 12:45 PM, 1051056 bytes, A Adds the file unins000.dat"="7/29/2019 8:49 AM, 63700 bytes, A Adds the file unins000.exe"="7/29/2019 8:47 AM, 732976 bytes, A Adds the file unins000.msg"="7/29/2019 8:49 AM, 11557 bytes, A Adds the file WpfAnimatedGif.dll"="4/19/2018 12:20 PM, 28160 bytes, A Adds the file WPFToolkit.dll"="4/19/2018 12:20 PM, 467288 bytes, A Adds the folder C:\Program Files (x86)\PC Speeder Pro\Backup Adds the folder C:\Program Files (x86)\PC Speeder Pro\de Adds the file pcspeederpro.resources.dll"="7/3/2019 1:16 PM, 29184 bytes, A Adds the folder C:\Program Files (x86)\PC Speeder Pro\en Adds the file pcspeederpro.resources.dll"="7/3/2019 1:16 PM, 27136 bytes, A Adds the folder C:\Program Files (x86)\PC Speeder Pro\ja-jp Adds the file pcspeederpro.resources.dll"="7/3/2019 1:16 PM, 33280 bytes, A Adds the folder C:\Program Files (x86)\PC Speeder Pro\uni Adds the file System.Data.SQLite.dll"="4/19/2018 12:45 PM, 353280 bytes, A Adds the file System.Data.SQLite.xml"="4/19/2018 12:45 PM, 1051056 bytes, A Adds the file Uninstaller.exe"="7/2/2019 3:30 PM, 461104 bytes, A Adds the folder C:\Program Files (x86)\PC Speeder Pro\uni\de Adds the file Uninstaller.resources.dll"="7/2/2019 3:30 PM, 27648 bytes, A Adds the folder C:\Program Files (x86)\PC Speeder Pro\uni\en Adds the file Uninstaller.resources.dll"="7/2/2019 3:30 PM, 25600 bytes, A Adds the folder C:\Program Files (x86)\PC Speeder Pro\uni\ja-jp Adds the file Uninstaller.resources.dll"="7/2/2019 3:30 PM, 33280 bytes, A Adds the folder C:\Program Files (x86)\PC Speeder Pro\uni\x64 Adds the file SQLite.Interop.dll"="4/19/2018 12:45 PM, 1534464 bytes, A Adds the folder C:\Program Files (x86)\PC Speeder Pro\uni\x86 Adds the file SQLite.Interop.dll"="4/19/2018 12:45 PM, 1149440 bytes, A Adds the folder C:\Program Files (x86)\PC Speeder Pro\x64 Adds the file SQLite.Interop.dll"="4/19/2018 12:45 PM, 1534464 bytes, A Adds the folder C:\Program Files (x86)\PC Speeder Pro\x86 Adds the file SQLite.Interop.dll"="4/19/2018 12:45 PM, 1149440 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Speeder Pro Adds the file PC Speeder Pro.lnk"="7/29/2019 8:49 AM, 1175 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\PC Speeder Pro\PC Repair Online\Backup Adds the folder C:\Users\{username}\AppData\Roaming\PC Speeder Pro\PC Repair Online\setting Adds the file psp_sett.ash"="7/29/2019 8:51 AM, 114688 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file PC Speeder Pro.lnk"="7/29/2019 8:49 AM, 1157 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file PC Speeder Pro"="7/29/2019 8:49 AM, 3240 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\FT\PSP\Activation] "Insdate"="REG_SZ", "Vmgh0PR1mg20SmdYPyx/VC+phVAxhb2QOk+f7XxIMdk=" "language"="REG_SZ", "en" "languageindex"="REG_SZ", "0" "lap"="REG_SZ", "R4KkhFSHCGPJ+uLr1axaBaVpIFfH/wkC9+vP6r7DhMo=" "lbp"="REG_SZ", "R4KkhFSHCGPJ+uLr1axaBaVpIFfH/wkC9+vP6r7DhMo=" "lr"="REG_SZ", "jSXc9IKVZAGleWWb1nxC/totNceqhUGj1uuN2Szyxd8=" "lsp"="REG_SZ", "R4KkhFSHCGPJ+uLr1axaBaVpIFfH/wkC9+vP6r7DhMo=" "lstup"="REG_SZ", "33628" "PN"="REG_SZ", "+1(888)200-8889" "Program"="REG_SZ", "PC Speeder Pro" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\FT\PSP\Activation] "IsTrack"="REG_SZ", "1" "language"="REG_SZ", "en" "languageindex"="REG_SZ", "0" "Program"="REG_SZ", "PC Speeder Pro" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{C111065E-6304-4ECE-8716-E8FBF449871E}}_is1] "Comments"="REG_SZ", "PC Speeder Pro" "Contact"="REG_SZ", "0800-183-3940" "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\PC Speeder Pro\logo.ico" "DisplayName"="REG_SZ", "PC Speeder Pro" "DisplayVersion"="REG_SZ", "1.0" "EstimatedSize"="REG_DWORD", 13242 "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\PC Speeder Pro" "Inno Setup: Deselected Tasks"="REG_SZ", "" "Inno Setup: Icon Group"="REG_SZ", "PC Speeder Pro" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Selected Tasks"="REG_SZ", "desktopicon" "Inno Setup: Setup Version"="REG_SZ", "5.5.6 (a)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20190729" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\PC Speeder Pro\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Econosoft Global Services Pte. Ltd." "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\PC Speeder Pro\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\PC Speeder Pro\unins000.exe"" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 7/29/19 Scan Time: 10:34 AM Log File: befe0e3e-b1db-11e9-b4d1-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.586 Update Package Version: 1.0.11762 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236477 Threats Detected: 66 Threats Quarantined: 66 Time Elapsed: 7 min, 52 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\pcspeederpro.exe, Quarantined, [1378], [711525],1.0.11762 Module: 2 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\x64\SQLite.Interop.dll, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\pcspeederpro.exe, Quarantined, [1378], [711525],1.0.11762 Registry Key: 8 PUP.Optional.PCSpeederPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\PC Speeder Pro, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{2E1B7583-29FF-47EA-9B8F-82D5AFE98E8F}, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{2E1B7583-29FF-47EA-9B8F-82D5AFE98E8F}, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{C111065E-6304-4ECE-8716-E8FBF449871E}}_is1, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCBoosterPro, HKLM\SOFTWARE\WOW6432NODE\FT\PSP, Quarantined, [1368], [711536],1.0.11762 PUP.Optional.PCSpeederPro, HKLM\SOFTWARE\MICROSOFT\TRACING\pcspeederpro_RASAPI32, Quarantined, [1378], [711529],1.0.11762 PUP.Optional.PCSpeederPro, HKLM\SOFTWARE\MICROSOFT\TRACING\pcspeederpro_RASMANCS, Quarantined, [1378], [711529],1.0.11762 PUP.Optional.PCBoosterPro, HKLM\SOFTWARE\FT\PSP, Quarantined, [1368], [711536],1.0.11762 Registry Value: 1 PUP.Optional.PCSpeederPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{2E1B7583-29FF-47EA-9B8F-82D5AFE98E8F}|PATH, Quarantined, [1378], [711535],1.0.11762 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 18 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\uni\ja-jp, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\uni\x64, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\uni\x86, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\Backup, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\uni\de, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\uni\en, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\ja-jp, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\uni, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\x64, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\x86, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\de, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\en, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\PROGRAM FILES (X86)\PC SPEEDER PRO, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\PC SPEEDER PRO, Quarantined, [1378], [711526],1.0.11762 PUP.Optional.PCSpeederPro, C:\Users\{username}\AppData\Roaming\PC Speeder Pro\PC Repair Online\setting, Quarantined, [1378], [711528],1.0.11762 PUP.Optional.PCSpeederPro, C:\Users\{username}\AppData\Roaming\PC Speeder Pro\PC Repair Online\Backup, Quarantined, [1378], [711528],1.0.11762 PUP.Optional.PCSpeederPro, C:\Users\{username}\AppData\Roaming\PC Speeder Pro\PC Repair Online, Quarantined, [1378], [711528],1.0.11762 PUP.Optional.PCSpeederPro, C:\USERS\{username}\APPDATA\ROAMING\PC SPEEDER PRO, Quarantined, [1378], [711528],1.0.11762 File: 36 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\de\pcspeederpro.resources.dll, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\en\pcspeederpro.resources.dll, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\ja-jp\pcspeederpro.resources.dll, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\uni\de\Uninstaller.resources.dll, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\uni\en\Uninstaller.resources.dll, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\uni\ja-jp\Uninstaller.resources.dll, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\uni\x64\SQLite.Interop.dll, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\uni\x86\SQLite.Interop.dll, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\uni\System.Data.SQLite.dll, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\uni\System.Data.SQLite.xml, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\uni\Uninstaller.exe, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\x64\SQLite.Interop.dll, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\x86\SQLite.Interop.dll, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\pcspeederpro.exe, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\Interop.NATUPNPLib.dll, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\Interop.NETCONLib.dll, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\Interop.NetFwTypeLib.dll, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\Interop.Shell32.dll, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\Interop.WUApiLib.dll, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\logo.ico, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\Microsoft.Win32.TaskScheduler.dll, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\SharpCompress.dll, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\System.Data.SQLite.dll, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\System.Data.SQLite.xml, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\Sys_Trace.xml, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\unins000.dat, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\unins000.exe, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\unins000.msg, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\WpfAnimatedGif.dll, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\Program Files (x86)\PC Speeder Pro\WPFToolkit.dll, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\WINDOWS\SYSTEM32\TASKS\PC Speeder Pro, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\PC Speeder Pro.lnk, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\USERS\PUBLIC\Desktop\PC Speeder Pro.lnk, Quarantined, [1378], [711525],1.0.11762 PUP.Optional.PCSpeederPro, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Speeder Pro\PC Speeder Pro.lnk, Quarantined, [1378], [711526],1.0.11762 PUP.Optional.PCSpeederPro, C:\Users\{username}\AppData\Roaming\PC Speeder Pro\PC Repair Online\setting\psp_sett.ash, Quarantined, [1378], [711528],1.0.11762 PUP.Optional.PCBooster, C:\USERS\{username}\DESKTOP\PSPSETUP.EXE, Quarantined, [566], [711523],1.0.11762 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  16. What is Free Up Memory?The Malwarebytes research team has determined that Free Up Memory is an adfraud tool. These adfraud applications earn money by connecting affected machines to websites in a way that makes the advertiser think you viewed their ads, when in reality you didn't.Even though you may feel there is no harm in it for you, these PUPs may compromise your security and use your resources.How do I know if my computer is affected by Free Up Memory?You may see this entry in your list of installed Chrome extensions:this icon in your browsers' menu-bar:this screen if you click the icon:and these warnings during install:How did Free Up Memory get on my computer?Adfraud tools use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their advertisement:How do I remove Free Up Memory?Our program Malwarebytes can detect and remove this potentially unwanted extension. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Free Up Memory? No, Malwarebytes removes Free Up Memory completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this potentially unwanted program.As you can see below the full version of Malwarebytes would have protected you against the Free Up Memory adfraud tool. It would have blocked their domain, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR Extension: (Free Up Memory) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjdjnlbnfpbheicpcnaeadccbdghajof [2019-07-26] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjdjnlbnfpbheicpcnaeadccbdghajof\1.1_0 Adds the file app.js"="7/3/2019 1:37 PM, 4593 bytes, A Adds the file background.html"="7/2/2019 4:59 PM, 183 bytes, A Adds the file func.js"="7/3/2019 1:30 PM, 1508 bytes, A Adds the file manifest.json"="7/26/2019 8:51 AM, 1102 bytes, A Adds the file menu.html"="7/2/2019 6:26 PM, 2762 bytes, A Adds the file menu.js"="7/2/2019 6:37 PM, 3000 bytes, A Adds the file styles.css"="7/2/2019 3:45 PM, 2090 bytes, A Adds the file suspended.css"="7/3/2019 10:01 AM, 94 bytes, A Adds the file suspended.html"="7/3/2019 10:10 AM, 303 bytes, A Adds the file suspended.js"="7/3/2019 1:38 PM, 891 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjdjnlbnfpbheicpcnaeadccbdghajof\1.1_0\_metadata Adds the file computed_hashes.json"="7/26/2019 8:51 AM, 11958 bytes, A Adds the file verified_contents.json"="7/3/2019 1:23 PM, 3552 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjdjnlbnfpbheicpcnaeadccbdghajof\1.1_0\icons Adds the file 128.png"="7/26/2019 8:51 AM, 5947 bytes, A Adds the file cancel.svg"="7/2/2019 12:28 PM, 329 bytes, A Adds the file clock.svg"="7/2/2019 12:28 PM, 337 bytes, A Adds the file reload.svg"="7/2/2019 12:28 PM, 516 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjdjnlbnfpbheicpcnaeadccbdghajof\1.1_0\img Adds the file logo@2x.png"="7/2/2019 2:15 PM, 9912 bytes, A Adds the file suspended.png"="7/2/2019 5:08 PM, 6977 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjdjnlbnfpbheicpcnaeadccbdghajof\1.1_0\libs Adds the file jquery.mswitch.css"="7/2/2019 3:17 PM, 1151 bytes, A Adds the file jquery.mswitch.js"="7/2/2019 5:40 PM, 3043 bytes, A Adds the file jquery-1.12.4.js"="7/2/2019 12:57 PM, 293430 bytes, A Adds the file jquery-ui.css"="7/2/2019 12:56 PM, 35973 bytes, A Adds the file jquery-ui.js"="7/2/2019 12:57 PM, 520714 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pjdjnlbnfpbheicpcnaeadccbdghajof Adds the file 000003.log"="7/26/2019 8:51 AM, 0 bytes, A Adds the file CURRENT"="7/26/2019 8:51 AM, 16 bytes, A Adds the file LOCK"="7/26/2019 8:51 AM, 0 bytes, A Adds the file LOG"="7/26/2019 8:51 AM, 184 bytes, A Adds the file MANIFEST-000001"="7/26/2019 8:51 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "pjdjnlbnfpbheicpcnaeadccbdghajof"="REG_SZ", "40D90A9F11DBA28A14234CF32C9730ED0FA1115B1E0690A737ABE0E56556194A" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 7/26/19 Scan Time: 9:13 AM Log File: d036a54e-af74-11e9-9a02-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.586 Update Package Version: 1.0.11726 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236526 Threats Detected: 39 Threats Quarantined: 39 Time Elapsed: 5 min, 50 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.FreeUpMemory, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|pjdjnlbnfpbheicpcnaeadccbdghajof, Quarantined, [2595], [712262],1.0.11726 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 PUP.Optional.FreeUpMemory, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjdjnlbnfpbheicpcnaeadccbdghajof\1.1_0\_metadata, Quarantined, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjdjnlbnfpbheicpcnaeadccbdghajof\1.1_0\icons, Quarantined, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjdjnlbnfpbheicpcnaeadccbdghajof\1.1_0\libs, Quarantined, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjdjnlbnfpbheicpcnaeadccbdghajof\1.1_0\img, Quarantined, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjdjnlbnfpbheicpcnaeadccbdghajof\1.1_0, Quarantined, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\pjdjnlbnfpbheicpcnaeadccbdghajof, Quarantined, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\pjdjnlbnfpbheicpcnaeadccbdghajof, Quarantined, [2595], [712262],1.0.11726 File: 31 PUP.Optional.FreeUpMemory, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjdjnlbnfpbheicpcnaeadccbdghajof\1.1_0\icons\128.png, Quarantined, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjdjnlbnfpbheicpcnaeadccbdghajof\1.1_0\icons\cancel.svg, Quarantined, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjdjnlbnfpbheicpcnaeadccbdghajof\1.1_0\icons\clock.svg, Quarantined, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjdjnlbnfpbheicpcnaeadccbdghajof\1.1_0\icons\reload.svg, Quarantined, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjdjnlbnfpbheicpcnaeadccbdghajof\1.1_0\img\logo@2x.png, Quarantined, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjdjnlbnfpbheicpcnaeadccbdghajof\1.1_0\img\suspended.png, Quarantined, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjdjnlbnfpbheicpcnaeadccbdghajof\1.1_0\libs\jquery-1.12.4.js, Quarantined, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjdjnlbnfpbheicpcnaeadccbdghajof\1.1_0\libs\jquery-ui.css, Quarantined, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjdjnlbnfpbheicpcnaeadccbdghajof\1.1_0\libs\jquery-ui.js, Quarantined, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjdjnlbnfpbheicpcnaeadccbdghajof\1.1_0\libs\jquery.mswitch.css, Quarantined, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjdjnlbnfpbheicpcnaeadccbdghajof\1.1_0\libs\jquery.mswitch.js, Quarantined, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjdjnlbnfpbheicpcnaeadccbdghajof\1.1_0\_metadata\computed_hashes.json, Quarantined, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjdjnlbnfpbheicpcnaeadccbdghajof\1.1_0\_metadata\verified_contents.json, Quarantined, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjdjnlbnfpbheicpcnaeadccbdghajof\1.1_0\app.js, Quarantined, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjdjnlbnfpbheicpcnaeadccbdghajof\1.1_0\background.html, Quarantined, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjdjnlbnfpbheicpcnaeadccbdghajof\1.1_0\func.js, Quarantined, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjdjnlbnfpbheicpcnaeadccbdghajof\1.1_0\manifest.json, Quarantined, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjdjnlbnfpbheicpcnaeadccbdghajof\1.1_0\menu.html, Quarantined, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjdjnlbnfpbheicpcnaeadccbdghajof\1.1_0\menu.js, Quarantined, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjdjnlbnfpbheicpcnaeadccbdghajof\1.1_0\styles.css, Quarantined, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjdjnlbnfpbheicpcnaeadccbdghajof\1.1_0\suspended.css, Quarantined, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjdjnlbnfpbheicpcnaeadccbdghajof\1.1_0\suspended.html, Quarantined, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjdjnlbnfpbheicpcnaeadccbdghajof\1.1_0\suspended.js, Quarantined, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pjdjnlbnfpbheicpcnaeadccbdghajof\000003.log, Quarantined, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pjdjnlbnfpbheicpcnaeadccbdghajof\CURRENT, Quarantined, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pjdjnlbnfpbheicpcnaeadccbdghajof\LOCK, Quarantined, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pjdjnlbnfpbheicpcnaeadccbdghajof\LOG, Quarantined, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pjdjnlbnfpbheicpcnaeadccbdghajof\LOG.old, Quarantined, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pjdjnlbnfpbheicpcnaeadccbdghajof\MANIFEST-000001, Quarantined, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [2595], [712262],1.0.11726 PUP.Optional.FreeUpMemory, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [2595], [712262],1.0.11726 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  17. What is OiT?The Malwarebytes research team has determined that OiT is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by OiT?You may see this entry in your list of installed Chrome extensions:and these warnings during install:Despite this warning the install was successfulHow did OiT get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove OiT?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of OiT? No, Malwarebytes removes OiT completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the OiT hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR Extension: (OiT) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pidepfbnmnemhcencgnfhhfnfiebdgjk [2019-07-25] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pidepfbnmnemhcencgnfhhfnfiebdgjk\5.7_0 Adds the file background.js"="7/17/2019 4:19 AM, 7742 bytes, A Adds the file manifest.json"="7/25/2019 10:23 AM, 7310 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pidepfbnmnemhcencgnfhhfnfiebdgjk\5.7_0\_metadata Adds the file computed_hashes.json"="7/25/2019 10:23 AM, 404 bytes, A Adds the file verified_contents.json"="7/24/2019 12:05 AM, 1645 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pidepfbnmnemhcencgnfhhfnfiebdgjk\5.7_0\icons Adds the file icon128.png"="7/25/2019 10:23 AM, 2188 bytes, A Adds the file icon48.png"="7/25/2019 10:23 AM, 253 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pidepfbnmnemhcencgnfhhfnfiebdgjk Adds the file 000003.log"="7/25/2019 10:25 AM, 128 bytes, A Adds the file CURRENT"="7/25/2019 10:23 AM, 16 bytes, A Adds the file LOCK"="7/25/2019 10:23 AM, 0 bytes, A Adds the file LOG"="7/25/2019 10:23 AM, 183 bytes, A Adds the file MANIFEST-000001"="7/25/2019 10:23 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_pidepfbnmnemhcencgnfhhfnfiebdgjk Adds the file OiT.ico"="7/25/2019 10:23 AM, 162813 bytes, A Adds the file OiT.ico.md5"="7/25/2019 10:23 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "pidepfbnmnemhcencgnfhhfnfiebdgjk"="REG_SZ", "56BA3AA6E583420F23B2DFB45B235064DA3ADC0AC833DCB55B21A8DE5756840B" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 7/25/19 Scan Time: 10:31 AM Log File: 9ee50b16-aeb6-11e9-bf02-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.586 Update Package Version: 1.0.11710 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236554 Threats Detected: 19 Threats Quarantined: 19 Time Elapsed: 6 min, 7 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.QXSearch, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|pidepfbnmnemhcencgnfhhfnfiebdgjk, Quarantined, [352], [676735],1.0.11710 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 5 PUP.Optional.QXSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\pidepfbnmnemhcencgnfhhfnfiebdgjk, Quarantined, [352], [676735],1.0.11710 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pidepfbnmnemhcencgnfhhfnfiebdgjk\5.7_0\_metadata, Quarantined, [352], [676735],1.0.11710 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pidepfbnmnemhcencgnfhhfnfiebdgjk\5.7_0\icons, Quarantined, [352], [676735],1.0.11710 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pidepfbnmnemhcencgnfhhfnfiebdgjk\5.7_0, Quarantined, [352], [676735],1.0.11710 PUP.Optional.QXSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PIDEPFBNMNEMHCENCGNFHHFNFIEBDGJK, Quarantined, [352], [676735],1.0.11710 File: 13 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pidepfbnmnemhcencgnfhhfnfiebdgjk\000003.log, Quarantined, [352], [676735],1.0.11710 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pidepfbnmnemhcencgnfhhfnfiebdgjk\CURRENT, Quarantined, [352], [676735],1.0.11710 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pidepfbnmnemhcencgnfhhfnfiebdgjk\LOCK, Quarantined, [352], [676735],1.0.11710 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pidepfbnmnemhcencgnfhhfnfiebdgjk\LOG, Quarantined, [352], [676735],1.0.11710 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pidepfbnmnemhcencgnfhhfnfiebdgjk\MANIFEST-000001, Quarantined, [352], [676735],1.0.11710 PUP.Optional.QXSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [352], [676735],1.0.11710 PUP.Optional.QXSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [352], [676735],1.0.11710 PUP.Optional.QXSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PIDEPFBNMNEMHCENCGNFHHFNFIEBDGJK\5.7_0\MANIFEST.JSON, Quarantined, [352], [676735],1.0.11710 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pidepfbnmnemhcencgnfhhfnfiebdgjk\5.7_0\icons\icon128.png, Quarantined, [352], [676735],1.0.11710 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pidepfbnmnemhcencgnfhhfnfiebdgjk\5.7_0\icons\icon48.png, Quarantined, [352], [676735],1.0.11710 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pidepfbnmnemhcencgnfhhfnfiebdgjk\5.7_0\_metadata\computed_hashes.json, Quarantined, [352], [676735],1.0.11710 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pidepfbnmnemhcencgnfhhfnfiebdgjk\5.7_0\_metadata\verified_contents.json, Quarantined, [352], [676735],1.0.11710 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\pidepfbnmnemhcencgnfhhfnfiebdgjk\5.7_0\background.js, Quarantined, [352], [676735],1.0.11710 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  18. What is Smart Sys Care?The Malwarebytes research team has determined that Smart Sys Care is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with Smart Sys Care?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see these warnings during install:and these screens during "operations":You may see this entry in your list of installed programs:How did Smart Sys Care get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove Smart Sys Care?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Smart Sys Care? No, Malwarebytes removes Smart Sys Care completely. This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the Smart Sys Care installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: (Econosoft Global Services PTE. LTD. -> Flawless Technology) C:\Program Files (x86)\Smart Sys Care\PC Repair Online\sscsetup.exe Task: {3FF373AE-09AD-4251-BE2A-B0DFAF8A0380} - System32\Tasks\Smart Sys Care PC Repair Online => C:\Program Files (x86)\Smart Sys Care\PC Repair Online\sscsetup.exe [3081544 2019-01-21] (Econosoft Global Services PTE. LTD. -> Flawless Technology) C:\Users\{username}\Downloads\Trojan.Worm.73242.msh C:\Users\{username}\Downloads\Trojan.Worm.432047.msh C:\Windows\System32\Tasks\Smart Sys Care PC Repair Online C:\Users\Public\Desktop\Smart Sys Care.lnk C:\Users\{username}\AppData\Roaming\Smart Sys Care C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Smart Sys Care C:\Program Files (x86)\Smart Sys Care Smart Sys Care (HKLM-x32\...\{4792BD9F-7EB5-446B-A15D-382559FFD32F}}_is1) (Version: 1.0 - Smart Sys Care) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\Smart Sys Care\PC Repair Online Adds the file Interop.NATUPNPLib.dll"="4/19/2018 12:25 PM, 7168 bytes, A Adds the file Interop.NETCONLib.dll"="4/19/2018 12:25 PM, 9728 bytes, A Adds the file Interop.NetFwTypeLib.dll"="4/19/2018 12:25 PM, 19456 bytes, A Adds the file Interop.Shell32.dll"="4/19/2018 12:25 PM, 36864 bytes, A Adds the file Interop.WUApiLib.dll"="4/19/2018 12:25 PM, 73728 bytes, A Adds the file ksb.bat"="1/6/2019 11:33 AM, 212 bytes, A Adds the file logo.ico"="1/7/2019 6:57 PM, 16958 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="4/19/2018 12:31 PM, 171008 bytes, A Adds the file SharpCompress.dll"="4/19/2018 12:35 PM, 418304 bytes, A Adds the file sscsetup.exe"="1/21/2019 7:55 PM, 3081544 bytes, A Adds the file sscsetup.vshost.exe"="1/21/2019 7:56 PM, 22688 bytes, A Adds the file Sys_Trace.xml"="4/19/2018 12:45 PM, 46 bytes, A Adds the file System.Data.SQLite.dll"="4/19/2018 12:45 PM, 353280 bytes, A Adds the file System.Data.SQLite.xml"="4/19/2018 12:45 PM, 1051056 bytes, A Adds the file unins000.dat"="7/24/2019 8:42 AM, 42739 bytes, A Adds the file unins000.exe"="7/24/2019 8:42 AM, 728432 bytes, A Adds the file unins000.msg"="7/24/2019 8:42 AM, 11442 bytes, A Adds the file WpfAnimatedGif.dll"="4/19/2018 12:20 PM, 28160 bytes, A Adds the file WPFToolkit.dll"="4/19/2018 12:20 PM, 467288 bytes, A Adds the folder C:\Program Files (x86)\Smart Sys Care\PC Repair Online\Backup Adds the folder C:\Program Files (x86)\Smart Sys Care\PC Repair Online\de Adds the file sscsetup.resources.dll"="1/21/2019 7:55 PM, 28672 bytes, A Adds the folder C:\Program Files (x86)\Smart Sys Care\PC Repair Online\en Adds the file sscsetup.resources.dll"="1/21/2019 7:55 PM, 26112 bytes, A Adds the folder C:\Program Files (x86)\Smart Sys Care\PC Repair Online\ja-jp Adds the file sscsetup.resources.dll"="1/21/2019 7:55 PM, 32256 bytes, A Adds the folder C:\Program Files (x86)\Smart Sys Care\PC Repair Online\uni Adds the file System.Data.SQLite.dll"="4/19/2018 12:45 PM, 353280 bytes, A Adds the file System.Data.SQLite.xml"="4/19/2018 12:45 PM, 1051056 bytes, A Adds the file Uninstaller.exe"="1/14/2019 8:54 PM, 531272 bytes, A Adds the folder C:\Program Files (x86)\Smart Sys Care\PC Repair Online\x64 Adds the file SQLite.Interop.dll"="4/19/2018 12:45 PM, 1534464 bytes, A Adds the folder C:\Program Files (x86)\Smart Sys Care\PC Repair Online\x86 Adds the file SQLite.Interop.dll"="4/19/2018 12:45 PM, 1149440 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Smart Sys Care Adds the file Smart Sys Care.lnk"="7/24/2019 8:42 AM, 1376 bytes, A Adds the file Uninstall Smart Sys Care.lnk"="7/24/2019 8:42 AM, 1376 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Smart Sys Care\PC Repair Online\Backup Adds the folder C:\Users\{username}\AppData\Roaming\Smart Sys Care\PC Repair Online\setting Adds the file SmartSysCare_sett.ash"="7/24/2019 9:04 AM, 286720 bytes, A In the existing folder C:\Users\{username}\Downloads Adds the file Trojan.Worm.432047.msh"="7/20/2019 12:47 PM, 259 bytes, A Adds the file Trojan.Worm.73242.msh"="7/20/2019 12:47 PM, 259 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file Smart Sys Care.lnk"="7/24/2019 8:42 AM, 1358 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Smart Sys Care PC Repair Online"="7/24/2019 8:42 AM, 3262 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Smart Sys Care\Activation] "Insdate"="REG_SZ", "r0a1n8o/1i0C0bWr3De4Is4Zl9S6dhe6krJCeDX5sbE=" "IsTrack"="REG_SZ", "1" "language"="REG_SZ", "en" "languageindex"="REG_SZ", "0" "lap"="REG_SZ", "vYVDjGGIudKl1WqHwoZraPufGfV6kseHn30/qplZA0c=" "lbp"="REG_SZ", "vYVDjGGIudKl1WqHwoZraPufGfV6kseHn30/qplZA0c=" "lr"="REG_SZ", "Nky9ln7nb18ib/XxxLLIrEb0xZTIeCWu9sD1iGRI6Sg=" "lsp"="REG_SZ", "vYVDjGGIudKl1WqHwoZraPufGfV6kseHn30/qplZA0c=" "Program"="REG_SZ", "Smart Sys Care" "Version"="REG_SZ", "1.0" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4792BD9F-7EB5-446B-A15D-382559FFD32F}}_is1] "Comments"="REG_SZ", "Smart Sys Care" "Contact"="REG_SZ", "0800-183-3940" "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\Smart Sys Care\PC Repair Online\logo.ico" "DisplayName"="REG_SZ", "Smart Sys Care" "DisplayVersion"="REG_SZ", "1.0" "EstimatedSize"="REG_DWORD", 13635 "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\Smart Sys Care\PC Repair Online" "Inno Setup: Icon Group"="REG_SZ", "Smart Sys Care" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.6 (a)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20190724" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\Smart Sys Care\PC Repair Online\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Smart Sys Care" "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\Smart Sys Care\PC Repair Online\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\Smart Sys Care\PC Repair Online\unins000.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Smart Sys Care\Activation] "IsTrack"="REG_SZ", "1" "language"="REG_SZ", "en" "languageindex"="REG_SZ", "0" "Program"="REG_SZ", "Smart Sys Care" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Smart Sys Care PC Repair Online"="REG_SZ", ""C:\Program Files (x86)\Smart Sys Care\PC Repair Online\ksb.bat"" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 7/24/19 Scan Time: 9:15 AM Log File: d6b9436a-ade2-11e9-9555-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.586 Update Package Version: 1.0.11694 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236584 Threats Detected: 72 Threats Quarantined: 72 Time Elapsed: 7 min, 19 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\sscsetup.exe, Quarantined, [1539], [709245],1.0.11694 Module: 2 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\x64\SQLite.Interop.dll, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\sscsetup.exe, Quarantined, [1539], [709245],1.0.11694 Registry Key: 6 PUP.Optional.SmartSysCare, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Smart Sys Care PC Repair Online, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{3FF373AE-09AD-4251-BE2A-B0DFAF8A0380}, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\BOOT\{3FF373AE-09AD-4251-BE2A-B0DFAF8A0380}, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{4792BD9F-7EB5-446B-A15D-382559FFD32F}}_is1, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, HKLM\SOFTWARE\Smart Sys Care, Quarantined, [1539], [709250],1.0.11694 PUP.Optional.SmartSysCare, HKLM\SOFTWARE\WOW6432NODE\Smart Sys Care, Quarantined, [1539], [709250],1.0.11694 Registry Value: 2 PUP.Optional.SmartSysCare, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Smart Sys Care PC Repair Online, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{3FF373AE-09AD-4251-BE2A-B0DFAF8A0380}|PATH, Quarantined, [1539], [709248],1.0.11694 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 19 PUP.Optional.SmartSysCare, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SMART SYS CARE, Quarantined, [1539], [709247],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\uni\ja-jp, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\uni\x64, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\uni\x86, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\Backup, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\uni\de, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\uni\en, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\ja-jp, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\uni, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\x64, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\x86, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\de, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\en, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\PROGRAM FILES (X86)\SMART SYS CARE, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Users\{username}\AppData\Roaming\Smart Sys Care\PC Repair Online\setting, Quarantined, [1539], [709242],1.0.11694 PUP.Optional.SmartSysCare, C:\Users\{username}\AppData\Roaming\Smart Sys Care\PC Repair Online\Backup, Quarantined, [1539], [709242],1.0.11694 PUP.Optional.SmartSysCare, C:\Users\{username}\AppData\Roaming\Smart Sys Care\PC Repair Online, Quarantined, [1539], [709242],1.0.11694 PUP.Optional.SmartSysCare, C:\USERS\{username}\APPDATA\ROAMING\SMART SYS CARE, Quarantined, [1539], [709242],1.0.11694 File: 42 PUP.Optional.SmartSysCare, C:\USERS\PUBLIC\DESKTOP\SMART SYS CARE.LNK, Quarantined, [1539], [709243],1.0.11694 PUP.Optional.SmartSysCare, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SMART SYS CARE\UNINSTALL SMART SYS CARE.LNK, Quarantined, [1539], [709247],1.0.11694 PUP.Optional.SmartSysCare, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Smart Sys Care\Smart Sys Care.lnk, Quarantined, [1539], [709247],1.0.11694 PUP.Optional.SmartSysCare, C:\PROGRAM FILES (X86)\SMART SYS CARE\PC REPAIR ONLINE\UNINS000.MSG, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\de\sscsetup.resources.dll, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\en\sscsetup.resources.dll, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\ja-jp\sscsetup.resources.dll, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\uni\de\Uninstaller.resources.dll, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\uni\en\Uninstaller.resources.dll, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\uni\ja-jp\Uninstaller.resources.dll, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\uni\x64\SQLite.Interop.dll, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\uni\x86\SQLite.Interop.dll, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\uni\System.Data.SQLite.dll, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\uni\System.Data.SQLite.xml, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\uni\Uninstaller.exe, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\x64\SQLite.Interop.dll, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\x86\SQLite.Interop.dll, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\Interop.NATUPNPLib.dll, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\Interop.NETCONLib.dll, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\Interop.NetFwTypeLib.dll, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\Interop.Shell32.dll, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\Interop.WUApiLib.dll, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\ksb.bat, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\logo.ico, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\Microsoft.Win32.TaskScheduler.dll, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\SharpCompress.dll, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\sscsetup.exe, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\sscsetup.vshost.exe, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\System.Data.SQLite.dll, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\System.Data.SQLite.xml, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\Sys_Trace.xml, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\unins000.dat, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\unins000.exe, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\WpfAnimatedGif.dll, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Program Files (x86)\Smart Sys Care\PC Repair Online\WPFToolkit.dll, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\WINDOWS\SYSTEM32\TASKS\Smart Sys Care PC Repair Online, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\Smart Sys Care.lnk, Quarantined, [1539], [709245],1.0.11694 PUP.Optional.SmartSysCare, C:\Users\{username}\AppData\Roaming\Smart Sys Care\PC Repair Online\setting\SmartSysCare_sett.ash, Quarantined, [1539], [709242],1.0.11694 PUP.Optional.PCBooster, C:\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\LOCALCOPY\{4CC56045-D346-4F1F-9C5D-26AF0A5313E7}-SSCINS.EXE, Quarantined, [566], [711523],1.0.11694 PUP.Optional.PCBooster, C:\USERS\{username}\APPDATA\LOCAL\TEMP\IS-P0VU4.TMP\SSC.TMP, Quarantined, [566], [711523],1.0.11694 PUP.Optional.PCBooster, C:\USERS\{username}\APPDATA\LOCAL\TEMP\SSC.EXE, Quarantined, [566], [711523],1.0.11694 PUP.Optional.PCBooster, C:\USERS\{username}\DESKTOP\SSCINS.EXE, Quarantined, [566], [711523],1.0.11694 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  19. What is MessengerNow?The Malwarebytes research team has determined that MessengerNow is a potentially unwanted program that behaves like adware. These adware applications display advertisements not originating from the sites you are browsing.How do I know if my computer is affected by MessengerNow?You may see these warnings during install:and this entry in your list of installed Programs and Features:How did MessengerNow get on my computer?Adware applications use different methods for distributing themselves. This particular one was downloaded from an advertising website:How do I remove MessengerNow?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of MessengerNow? No, Malwarebytes removes MessengerNow completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this adware.As you can see below the full version of Malwarebytes would have protected you against the MessengerNow adware. It would have blocked the installer before it became too late. and it blocks traffic to their domains: Technical details for expertsPossible signs in FRST logs: (MessengerNow -> ) [File not signed] C:\Users\{username}\AppData\Roaming\MessengerNow\MessengerNow.exe HKLM-x32\...\Run: [MessengerNow] => C:\Users\{username}\AppData\Roaming\MessengerNow\MessengerNow.exe [47905616 2019-06-10] (MessengerNow -> ) [File not signed] <==== ATTENTION C:\Users\{username}\Desktop\MessengerNow.lnk C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MessengerNow C:\Users\{username}\AppData\Roaming\MessengerNow C:\Users\{username}\AppData\Local\MessengerNow MessengerNow - Facebook Messenger for Desktop (HKLM-x32\...\MessengerNow) (Version: 14.1906.1ac - MessengerNow) (MessengerNow -> Google Inc.) [File not signed] C:\Users\{username}\AppData\Roaming\MessengerNow\ffmpegsumo.dll Significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\MessengerNow Adds the file cookies"="7/23/2019 9:20 AM, 6144 bytes, A Adds the file cookies-journal"="7/23/2019 9:20 AM, 4640 bytes, A Adds the file lockfile"="7/23/2019 9:19 AM, 0 bytes, A Adds the file QuotaManager"="7/23/2019 9:19 AM, 13312 bytes, A Adds the file QuotaManager-journal"="7/23/2019 9:19 AM, 8768 bytes, A Adds the file Web Data"="7/23/2019 9:19 AM, 40960 bytes, A Adds the file Web Data-journal"="7/23/2019 9:19 AM, 512 bytes, A Adds the folder C:\Users\{username}\AppData\Local\MessengerNow\Cache Adds the file index"="7/23/2019 9:19 AM, 24 bytes, A Adds the folder C:\Users\{username}\AppData\Local\MessengerNow\Cache\index-dir Adds the file the-real-index"="7/23/2019 9:19 AM, 44 bytes, A Adds the folder C:\Users\{username}\AppData\Local\MessengerNow\databases Adds the file Databases.db"="7/23/2019 9:19 AM, 7168 bytes, A Adds the file Databases.db-journal"="7/23/2019 9:19 AM, 5672 bytes, A Adds the folder C:\Users\{username}\AppData\Local\MessengerNow\databases\file__0 Adds the file 1"="7/23/2019 9:19 AM, 4096 bytes, A Adds the folder C:\Users\{username}\AppData\Local\MessengerNow\Local Storage Adds the file file__0.localstorage"="7/23/2019 9:19 AM, 3072 bytes, A Adds the file file__0.localstorage-journal"="7/23/2019 9:19 AM, 3608 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\MessengerNow Adds the file ffmpegsumo.dll"="6/10/2019 1:56 PM, 1652840 bytes, A Adds the file icudtl.dat"="6/10/2019 1:46 PM, 10457856 bytes, A Adds the file MessengerNow.exe"="6/10/2019 1:56 PM, 47905616 bytes, A Adds the file nw.pak"="6/10/2019 1:46 PM, 7481810 bytes, A Adds the file storage.json"="7/23/2019 9:19 AM, 83 bytes, A Adds the file Uninstall.exe"="7/23/2019 9:19 AM, 472523 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\MessengerNow\locales In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar Adds the file MessengerNow.lnk"="7/23/2019 9:19 AM, 947 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MessengerNow Adds the file MessengerNow.lnk"="7/23/2019 9:19 AM, 1905 bytes, A Adds the file Uninstall.lnk"="7/23/2019 9:19 AM, 1884 bytes, A In the existing folder C:\Users\{username}\Desktop Adds the file MessengerNow.lnk"="7/23/2019 9:19 AM, 995 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "MessengerNow"="REG_SZ", "C:\Users\{username}\AppData\Roaming\MessengerNow\MessengerNow.exe su" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MessengerNow] "DisplayIcon"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\MessengerNow\Uninstall.exe"" "DisplayName"="REG_SZ", "MessengerNow - Facebook Messenger for Desktop" "DisplayVersion"="REG_SZ", "14.1906.1ac" "EstimatedSize"="REG_DWORD", 65916 "Publisher"="REG_SZ", "MessengerNow" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\MessengerNow\Uninstall.exe"" [HKEY_CURRENT_USER\Software\AppDataLow\Software\MessengerNow] "uid"="REG_SZ", "328D473C-5466-4493-823E-60AA58F7DD0C" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 7/23/19 Scan Time: 9:26 AM Log File: 3a22a9be-ad1b-11e9-9619-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.586 Update Package Version: 1.0.11680 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236878 Threats Detected: 72 Threats Quarantined: 72 Time Elapsed: 7 min, 0 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 3 PUP.Optional.MessengerTime, C:\USERS\{username}\APPDATA\ROAMING\MESSENGERNOW\MESSENGERNOW.EXE, Quarantined, [1230], [710654],1.0.11680 PUP.Optional.MessengerTime, C:\USERS\{username}\APPDATA\ROAMING\MESSENGERNOW\MESSENGERNOW.EXE, Quarantined, [1230], [710654],1.0.11680 PUP.Optional.MessengerTime, C:\USERS\{username}\APPDATA\ROAMING\MESSENGERNOW\MESSENGERNOW.EXE, Quarantined, [1230], [710654],1.0.11680 Module: 3 PUP.Optional.MessengerTime, C:\USERS\{username}\APPDATA\ROAMING\MESSENGERNOW\MESSENGERNOW.EXE, Quarantined, [1230], [710654],1.0.11680 PUP.Optional.MessengerTime, C:\USERS\{username}\APPDATA\ROAMING\MESSENGERNOW\MESSENGERNOW.EXE, Quarantined, [1230], [710654],1.0.11680 PUP.Optional.MessengerTime, C:\USERS\{username}\APPDATA\ROAMING\MESSENGERNOW\MESSENGERNOW.EXE, Quarantined, [1230], [710654],1.0.11680 Registry Key: 2 PUP.Optional.MessengerTime, HKCU\SOFTWARE\APPDATALOW\SOFTWARE\MessengerNow, Quarantined, [1230], [710655],1.0.11680 PUP.Optional.MessengerTime, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\MessengerNow, Quarantined, [1230], [710653],1.0.11680 Registry Value: 1 PUP.Optional.MessengerTime, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|MESSENGERNOW, Quarantined, [1230], [710654],1.0.11680 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 6 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\databases\file__0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\index-dir, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Local Storage, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\databases, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\USERS\{username}\APPDATA\LOCAL\MESSENGERNOW, Quarantined, [1230], [710651],1.0.11680 File: 57 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\index-dir\the-real-index, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\07730ced5e0a88d0_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\0f77b7b90b3e5573_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\1c2d0c15c242cb58_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\25313771bc5938c9_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\268a109cb39eb34e_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\2bd67ddba7e67238_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\2cd9794f52e24e4f_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\2df02be6dafbc6aa_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\35f3137a35efe120_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\3b85cbe9531df329_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\44d4eddb5f25060a_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\79316414c1a3d6d7_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\79c6582ae9c4dcbb_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\7a4f755cf9c7809f_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\7e3cdd1d75f89fbe_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\8313106e6b78138f_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\867eeb85f85ca729_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\945fac70812eb6d4_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\9b055dd30faa669b_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\9d74aa3fa89af1dc_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\b748772023eea3c7_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\bc141ccc77e7908f_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\c0e88843241c4b64_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\d362fe4736f6b584_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\e098fd214316abfd_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\f8e368babf74f062_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\index, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\45e8a7b3a9a39630_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\46a6fa395fd9530d_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\4c145cce1bf3ad79_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\4e79165120b5c1d3_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\5a44dbe39b1a358c_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\5e721eec36958a68_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\5ec195c554dc9470_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\607a6def203836f6_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\65335d8cc46b3c65_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\65b667c2d500d645_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\6787f2ca849a4301_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Cache\776f48ba52abc5c9_0, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\databases\file__0\1, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\databases\Databases.db, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\databases\Databases.db-journal, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Local Storage\file__0.localstorage, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Local Storage\file__0.localstorage-journal, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\cookies, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\cookies-journal, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\lockfile, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\QuotaManager, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\QuotaManager-journal, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Web Data, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\Users\{username}\AppData\Local\MessengerNow\Web Data-journal, Quarantined, [1230], [710651],1.0.11680 PUP.Optional.MessengerTime, C:\USERS\{username}\DESKTOP\MESSENGERNOW.LNK, Quarantined, [1230], [710652],1.0.11680 PUP.Optional.MessengerTime, C:\USERS\{username}\APPDATA\ROAMING\MESSENGERNOW\MESSENGERNOW.EXE, Quarantined, [1230], [710654],1.0.11680 PUP.Optional.MessengerTime, C:\USERS\{username}\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\User Pinned\TaskBar\MessengerNow.lnk, Quarantined, [1230], [710654],1.0.11680 PUP.Optional.MessengerTime, C:\USERS\{username}\APPDATA\ROAMING\MESSENGERNOW\UNINSTALL.EXE, Quarantined, [1230], [710656],1.0.11680 PUP.Optional.MessengerTime, C:\USERS\{username}\DESKTOP\MESSENGERNOW.14.1906.1AC.EXE, Quarantined, [1230], [710656],1.0.11680 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  20. What is PC Booster Pro?The Malwarebytes research team has determined that PC Booster Pro is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with PC Booster Pro?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see these warnings during install:and these screens during "operations":You may see this entry in your list of installed programs:and these tasks in your list of Scheduled Tasks:How did PC Booster Pro get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove PC Booster Pro?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of PC Booster Pro? No, Malwarebytes removes PC Booster Pro completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the PC Booster Pro installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for expertsYou may see these entries in FRST logs: (Econosoft Global Services PTE. LTD. -> Econosoft Global Services Pte. Ltd.) C:\Program Files (x86)\PC Booster Pro\pcboosterpro.exe (Econosoft Global Services PTE. LTD. -> Econosoft Global Services Pte. Ltd.) C:\Program Files (x86)\PC Booster Pro\pcboosterpro_protection.exe Task: {0DAC30DF-DCFD-4CDD-8079-F9DE4BA96845} - System32\Tasks\PC Booster Pro => C:\Program Files (x86)\PC Booster Pro\pcboosterpro.exe [7099184 2019-07-19] (Econosoft Global Services PTE. LTD. -> Econosoft Global Services Pte. Ltd.) <==== ATTENTION Task: {6E4C3F84-D8BD-4F65-A7D0-C7447CCCD508} - System32\Tasks\PC Booster Pro Protection Startup => C:\Program Files (x86)\PC Booster Pro\pcboosterpro_protection.exe [400688 2019-07-17] (Econosoft Global Services PTE. LTD. -> Econosoft Global Services Pte. Ltd.) <==== ATTENTION C:\Windows\System32\Tasks\PC Booster Pro Protection Startup C:\Windows\System32\Tasks\PC Booster Pro C:\Users\{username}\AppData\Roaming\PC Booster Pro C:\Users\Public\Desktop\PC Booster Pro.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Booster Pro C:\Program Files (x86)\PC Booster Pro PC Booster Pro (HKLM-x32\...\{59067503-5AF7-46A3-A052-3CB044D4D66E}}_is1) (Version: 1.0 - Econosoft Global Services Pte. Ltd.) <==== ATTENTION Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\PC Booster Pro Adds the file Core.dll"="4/19/2018 12:31 PM, 237568 bytes, A Adds the file DiscUtils.Common.dll"="4/19/2018 12:31 PM, 23040 bytes, A Adds the file DiscUtils.dll"="4/19/2018 12:31 PM, 915456 bytes, A Adds the file DiscUtils.MSBuild.dll"="4/19/2018 12:31 PM, 8192 bytes, A Adds the file DynamicDataDisplay.dll"="4/19/2018 12:31 PM, 316416 bytes, A Adds the file errordetailsOpt.xml"="7/22/2019 8:57 AM, 942818 bytes, A Adds the file errorlog.txt"="7/12/2019 1:16 PM, 189 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="4/19/2018 12:31 PM, 49152 bytes, A Adds the file Interop.NATUPNPLib.dll"="4/19/2018 12:31 PM, 7680 bytes, A Adds the file Interop.NETCONLib.dll"="4/19/2018 12:31 PM, 10240 bytes, A Adds the file Interop.NetFwTypeLib.dll"="4/19/2018 12:31 PM, 19456 bytes, A Adds the file logo.ico"="7/3/2019 4:43 PM, 21662 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="4/19/2018 12:31 PM, 171008 bytes, A Adds the file OptErr.xml"="4/19/2018 12:31 PM, 10 bytes, A Adds the file pcboosterpro.exe"="7/19/2019 8:55 PM, 7099184 bytes, A Adds the file pcboosterpro_protection.exe"="7/17/2019 9:01 PM, 400688 bytes, A Adds the file System.Data.SQLite.dll"="4/19/2018 12:31 PM, 280576 bytes, A Adds the file System.Windows.Controls.Layout.Toolkit.dll"="4/19/2018 12:31 PM, 95064 bytes, A Adds the file unins000.dat"="7/22/2019 8:51 AM, 41438 bytes, A Adds the file unins000.exe"="7/22/2019 8:51 AM, 732976 bytes, A Adds the file unins000.msg"="7/22/2019 8:51 AM, 11509 bytes, A Adds the file WpfAnimatedGif.dll"="4/19/2018 12:31 PM, 28160 bytes, A Adds the file WPFToolkit.dll"="4/19/2018 12:31 PM, 467288 bytes, A Adds the folder C:\Program Files (x86)\PC Booster Pro\Backup Adds the folder C:\Program Files (x86)\PC Booster Pro\de Adds the file pcboosterpro.resources.dll"="7/19/2019 8:55 PM, 74752 bytes, A Adds the folder C:\Program Files (x86)\PC Booster Pro\en Adds the file pcboosterpro.resources.dll"="7/19/2019 8:55 PM, 68096 bytes, A Adds the folder C:\Program Files (x86)\PC Booster Pro\ja-jp Adds the file pcboosterpro.resources.dll"="7/19/2019 8:55 PM, 84480 bytes, A Adds the folder C:\Program Files (x86)\PC Booster Pro\slider Adds the file Slider-1.jpg"="4/19/2018 12:31 PM, 77585 bytes, A Adds the file Slider-2.jpg"="4/19/2018 12:31 PM, 79413 bytes, A Adds the folder C:\Program Files (x86)\PC Booster Pro\uni Adds the file System.Data.SQLite.dll"="3/2/2018 6:51 AM, 353280 bytes, A Adds the file System.Data.SQLite.xml"="3/2/2018 6:51 AM, 1051056 bytes, A Adds the file Uninstaller.exe"="7/19/2019 7:35 PM, 438576 bytes, A Adds the folder C:\Program Files (x86)\PC Booster Pro\x64 Adds the file SQLite.Interop.dll"="4/19/2018 12:31 PM, 1205248 bytes, A Adds the folder C:\Program Files (x86)\PC Booster Pro\x86 Adds the file SQLite.Interop.dll"="4/19/2018 12:31 PM, 903168 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Booster Pro Adds the file PC Booster Pro.lnk"="7/22/2019 8:51 AM, 1175 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\PC Booster Pro\PC Repair Online\setting Adds the file pbp_sett.ash"="7/22/2019 8:57 AM, 475136 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file PC Booster Pro.lnk"="7/22/2019 8:51 AM, 1157 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file PC Booster Pro"="7/22/2019 8:52 AM, 3240 bytes, A Adds the file PC Booster Pro Protection Startup"="7/22/2019 8:52 AM, 3262 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\FT\PBP\Activation] "Insdate"="REG_SZ", "AhGEQd6dAycGlZ2CEFN4ya5sWW9n8yh9i+XNgkkCElw=" "language"="REG_SZ", "en" "languageindex"="REG_SZ", "0" "lap"="REG_SZ", "KghKgyRSdUVtN2GtX/nj0OQdq/biWtxM9Q6/UFmRwGg=" "lbp"="REG_SZ", "KghKgyRSdUVtN2GtX/nj0OQdq/biWtxM9Q6/UFmRwGg=" "lr"="REG_SZ", "KghKgyRSdUVtN2GtX/nj0OQdq/biWtxM9Q6/UFmRwGg=" "lsp"="REG_SZ", "KghKgyRSdUVtN2GtX/nj0OQdq/biWtxM9Q6/UFmRwGg=" "PN"="REG_SZ", "+1(888)200-8889" "Program"="REG_SZ", "PC Booster Pro" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\FT\PBP\Activation] "IsTrack"="REG_SZ", "1" "language"="REG_SZ", "en" "languageindex"="REG_SZ", "0" "Program"="REG_SZ", "PC Booster Pro" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{59067503-5AF7-46A3-A052-3CB044D4D66E}}_is1] "Comments"="REG_SZ", "PC Booster Pro" "Contact"="REG_SZ", "0800-183-3940" "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\PC Booster Pro\logo.ico" "DisplayName"="REG_SZ", "PC Booster Pro" "DisplayVersion"="REG_SZ", "1.0" "EstimatedSize"="REG_DWORD", 17655 "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\PC Booster Pro" "Inno Setup: Deselected Tasks"="REG_SZ", "" "Inno Setup: Icon Group"="REG_SZ", "PC Booster Pro" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Selected Tasks"="REG_SZ", "desktopicon" "Inno Setup: Setup Version"="REG_SZ", "5.5.6 (a)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20190722" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\PC Booster Pro\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Econosoft Global Services Pte. Ltd." "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\PC Booster Pro\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\PC Booster Pro\unins000.exe"" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 7/22/19 Scan Time: 9:05 AM Log File: 0770bdd4-ac4f-11e9-852c-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.586 Update Package Version: 1.0.11664 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236334 Threats Detected: 81 Threats Quarantined: 81 Time Elapsed: 7 min, 26 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 2 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\pcboosterpro.exe, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\pcboosterpro_protection.exe, Quarantined, [1369], [709551],1.0.11664 Module: 4 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\x64\SQLite.Interop.dll, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\x64\SQLite.Interop.dll, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\pcboosterpro.exe, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\pcboosterpro_protection.exe, Quarantined, [1369], [709551],1.0.11664 Registry Key: 11 PUP.Optional.PCBoosterPro, HKLM\SOFTWARE\FT\PBP, Quarantined, [1369], [709557],1.0.11664 PUP.Optional.PCBoosterPro, HKLM\SOFTWARE\MICROSOFT\TRACING\pcboosterpro_RASAPI32, Quarantined, [1369], [709556],1.0.11664 PUP.Optional.PCBoosterPro, HKLM\SOFTWARE\MICROSOFT\TRACING\pcboosterpro_RASMANCS, Quarantined, [1369], [709556],1.0.11664 PUP.Optional.PCBoosterPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\PC Booster Pro, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{0DAC30DF-DCFD-4CDD-8079-F9DE4BA96845}, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{0DAC30DF-DCFD-4CDD-8079-F9DE4BA96845}, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\PC Booster Pro Protection Startup, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{6E4C3F84-D8BD-4F65-A7D0-C7447CCCD508}, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{6E4C3F84-D8BD-4F65-A7D0-C7447CCCD508}, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{59067503-5AF7-46A3-A052-3CB044D4D66E}}_is1, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, HKLM\SOFTWARE\WOW6432NODE\FT\PBP, Quarantined, [1369], [709557],1.0.11664 Registry Value: 1 PUP.Optional.PCBoosterPro, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{59067503-5AF7-46A3-A052-3CB044D4D66E}}_IS1|DISPLAYNAME, Quarantined, [1369], [709558],1.0.11664 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 18 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\uni\ja-jp, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\uni\x64, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\uni\x86, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\Backup, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\slider, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\uni\de, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\uni\en, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\ja-jp, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\uni, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\x64, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\x86, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\de, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\en, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\PROGRAM FILES (X86)\PC BOOSTER PRO, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\PC BOOSTER PRO, Quarantined, [1369], [709552],1.0.11664 PUP.Optional.PCBoosterPro, C:\Users\{username}\AppData\Roaming\PC Booster Pro\PC Repair Online\setting, Quarantined, [1369], [709554],1.0.11664 PUP.Optional.PCBoosterPro, C:\Users\{username}\AppData\Roaming\PC Booster Pro\PC Repair Online, Quarantined, [1369], [709554],1.0.11664 PUP.Optional.PCBoosterPro, C:\USERS\{username}\APPDATA\ROAMING\PC BOOSTER PRO, Quarantined, [1369], [709554],1.0.11664 File: 45 PUP.Optional.PCBoosterPro, C:\USERS\PUBLIC\DESKTOP\PC BOOSTER PRO.LNK, Quarantined, [1369], [709553],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\de\pcboosterpro.resources.dll, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\en\pcboosterpro.resources.dll, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\ja-jp\pcboosterpro.resources.dll, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\slider\Slider-1.jpg, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\slider\Slider-2.jpg, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\uni\de\Uninstaller.resources.dll, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\uni\en\Uninstaller.resources.dll, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\uni\ja-jp\Uninstaller.resources.dll, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\uni\x64\SQLite.Interop.dll, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\uni\x86\SQLite.Interop.dll, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\uni\System.Data.SQLite.dll, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\uni\System.Data.SQLite.xml, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\uni\Uninstaller.exe, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\x64\SQLite.Interop.dll, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\x86\SQLite.Interop.dll, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\Interop.NetFwTypeLib.dll, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\Core.dll, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\DiscUtils.Common.dll, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\DiscUtils.dll, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\DiscUtils.MSBuild.dll, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\DynamicDataDisplay.dll, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\errordetailsOpt.xml, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\errorlog.txt, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\Interop.IWshRuntimeLibrary.dll, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\Interop.NATUPNPLib.dll, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\Interop.NETCONLib.dll, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\logo.ico, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\Microsoft.Win32.TaskScheduler.dll, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\OptErr.xml, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\pcboosterpro.exe, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\pcboosterpro_protection.exe, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\System.Data.SQLite.dll, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\System.Windows.Controls.Layout.Toolkit.dll, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\unins000.dat, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\unins000.exe, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\unins000.msg, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\WpfAnimatedGif.dll, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\Program Files (x86)\PC Booster Pro\WPFToolkit.dll, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\WINDOWS\SYSTEM32\TASKS\PC Booster Pro, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\PC Booster Pro.lnk, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\WINDOWS\SYSTEM32\TASKS\PC Booster Pro Protection Startup, Quarantined, [1369], [709551],1.0.11664 PUP.Optional.PCBoosterPro, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Booster Pro\PC Booster Pro.lnk, Quarantined, [1369], [709552],1.0.11664 PUP.Optional.PCBoosterPro, C:\Users\{username}\AppData\Roaming\PC Booster Pro\PC Repair Online\setting\pbp_sett.ash, Quarantined, [1369], [709554],1.0.11664 PUP.Optional.PCBoosterPro, C:\USERS\{username}\DESKTOP\PCBOOSTERPRO.EXE, Quarantined, [1369], [709559],1.0.11664 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  21. What is Segurazo?The Malwarebytes research team has determined that Segurazo is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with Segurazo?This is how the main screen of the system optimizer looks:You may see this entry in your list of installed programs:and see these warnings during install:and these services in your list of Windows services:How did Segurazo get on my computer?These so-called system optimizers use different methods of getting installed. This one has been reported to be included in bundlers, but this version was downloaded from their website:How do I remove Segurazo?Our program Malwarebytes can detect and remove this potentially unwanted application.Before you run the scan we recommend to use the "Quit" option for Segurazo that you can find in the right-click menu of the Taskbar icon.Failing to do so may cause the Malwarebytes scan to take unnecessary long. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Segurazo? No, Malwarebytes removes Segurazo completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the Segurazo installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for expertsYou may see these entries in FRST logs: (Digital Communications Inc. -> Digital Communications Inc) C:\Program Files (x86)\Segurazo\SegurazoClient.exe (Digital Communications Inc. -> Digital Communications Inc) C:\Program Files (x86)\Segurazo\SegurazoService.exe (Digital Communications Inc. -> Digital Communications Inc) C:\ProgramData\Segurazo\SegurazoIC.exe (Digital Communications Inc. -> Digital Communications Inc) C:\ProgramData\Segurazo\SegurazoWD.exe "SegurazoIC" => service was unlocked. <==== ATTENTION R2 SegurazoIC; C:\ProgramData\Segurazo\SegurazoIC.exe [542120 2019-03-18] (Digital Communications Inc. -> Digital Communications Inc) R2 SegurazoSvc; C:\Program Files (x86)\Segurazo\SegurazoService.exe [179624 2019-03-18] (Digital Communications Inc. -> Digital Communications Inc) R2 SegurazoWD; C:\ProgramData\Segurazo\SegurazoWD.exe [38312 2019-03-18] (Digital Communications Inc. -> Digital Communications Inc) C:\Program Files (x86)\Segurazo C:\ProgramData\Segurazo C:\Users\{username}\AppData\Roaming\segurazoclient C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Segurazo Segurazo Antivirus (HKLM-x32\...\Segurazo) (Version: 1.0.6.9 - Digital Communications Inc) ContextMenuHandlers1: [SegurazoShellExtension.FileContextMenuExt] -> {BFD98515-CD74-48A4-98E2-13D209E3EE4F} => C:\Program Files (x86)\Segurazo\SegurazoShell64_v1069.dll [2019-03-18] (Digital Communications Inc. -> Digital Communications Inc) ContextMenuHandlers4: [SegurazoShellExtension.FileContextMenuExt] -> {BFD98515-CD74-48A4-98E2-13D209E3EE4F} => C:\Program Files (x86)\Segurazo\SegurazoShell64_v1069.dll [2019-03-18] (Digital Communications Inc. -> Digital Communications Inc) ContextMenuHandlers6: [SegurazoShellExtension.FileContextMenuExt] -> {BFD98515-CD74-48A4-98E2-13D209E3EE4F} => C:\Program Files (x86)\Segurazo\SegurazoShell64_v1069.dll [2019-03-18] (Digital Communications Inc. -> Digital Communications Inc) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\Segurazo Adds the file Errors.dat"="7/19/2019 9:41 AM, 621 bytes, A Adds the file ExclusionsList.dat"="7/19/2019 9:38 AM, 2520 bytes, A Adds the file Microsoft.Diagnostics.Tracing.TraceEvent.dll"="12/19/2018 12:23 PM, 1008944 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="12/19/2018 12:23 PM, 310784 bytes, A Adds the file ReportsList.dat"="7/19/2019 9:46 AM, 408 bytes, A Adds the file rsEngine.config"="7/19/2019 9:38 AM, 236 bytes, A Adds the file rsEngine.dll"="2/26/2019 12:31 PM, 5490968 bytes, A Adds the file rsEngineHelper.exe"="2/26/2019 12:31 PM, 165656 bytes, A Adds the file rsEngineHelper.exe.config"="12/19/2018 12:23 PM, 383 bytes, A Adds the file rsEngineSDK.dll"="2/26/2019 12:31 PM, 198936 bytes, A Adds the file ScanDetectionsList.dat"="7/19/2019 9:46 AM, 128 bytes, A Adds the file SegurazoClient.exe"="3/18/2019 4:02 PM, 1896872 bytes, A Adds the file SegurazoClient.exe.config"="2/9/2019 5:44 PM, 427 bytes, A Adds the file SegurazoEngine.dll"="3/18/2019 4:02 PM, 3877288 bytes, A Adds the file SegurazoService.config"="7/19/2019 9:49 AM, 4736 bytes, A Adds the file SegurazoService.exe"="3/18/2019 4:03 PM, 179624 bytes, A Adds the file SegurazoService.exe.config"="2/9/2019 5:44 PM, 427 bytes, A Adds the file SegurazoShell64_v1069.dll"="3/18/2019 4:02 PM, 172456 bytes, A Adds the file SegurazoShell86_v1069.dll"="3/18/2019 4:02 PM, 145320 bytes, A Adds the file SegurazoTools.dll"="3/18/2019 4:03 PM, 135080 bytes, A Adds the file SegurazoUninstaller.exe"="3/18/2019 4:02 PM, 1012136 bytes, A Adds the file SegurazoUninstaller.exe.config"="2/9/2019 5:44 PM, 427 bytes, A Adds the file Signatures.dat"="7/19/2019 9:40 AM, 1060120 bytes, A Adds the file SignaturesPacks.dat"="7/19/2019 9:40 AM, 203992 bytes, A Adds the file SubmitsList.dat"="7/19/2019 9:46 AM, 128 bytes, A Adds the file System.Threading.dll"="12/19/2018 12:23 PM, 387408 bytes, A Adds the file uninstaller.ico"="12/19/2018 12:23 PM, 24990 bytes, A Adds the file WhiteList.dat"="7/19/2019 9:40 AM, 278616 bytes, A Adds the folder C:\Program Files (x86)\Segurazo\amd64 Adds the file KernelTraceControl.dll"="12/19/2018 12:23 PM, 223008 bytes, A Adds the file msdia140.dll"="12/19/2018 12:23 PM, 1380512 bytes, A Adds the folder C:\Program Files (x86)\Segurazo\Cache Adds the folder C:\Program Files (x86)\Segurazo\Logs Adds the file err.dat"="7/19/2019 9:41 AM, 447 bytes, A Adds the folder C:\Program Files (x86)\Segurazo\Scans Adds the file abfc197d-3021-42b9-8ca6-5aaa7345b20b.scan"="7/19/2019 9:46 AM, 1388 bytes, A Adds the folder C:\Program Files (x86)\Segurazo\x64 Adds the file 7z64.dll"="12/19/2018 12:23 PM, 1646592 bytes, A Adds the file ext_x64.dll"="12/19/2018 12:23 PM, 375576 bytes, A Adds the file lz4_x64.dll"="12/19/2018 12:23 PM, 119064 bytes, A Adds the file rsEngineFW_x64.dll"="12/19/2018 12:23 PM, 104216 bytes, A Adds the file rsEnginePM_x64.dll"="12/19/2018 12:23 PM, 228120 bytes, A Adds the file rsLggrServer_x64.dll"="12/19/2018 12:23 PM, 821528 bytes, A Adds the file System.Data.SQLite.dll"="12/19/2018 12:23 PM, 1658136 bytes, A Adds the folder C:\Program Files (x86)\Segurazo\x86 Adds the file 7z86.dll"="12/19/2018 12:23 PM, 1113088 bytes, A Adds the file ext_x86.dll"="12/19/2018 12:23 PM, 280344 bytes, A Adds the file KernelTraceControl.dll"="12/19/2018 12:23 PM, 167200 bytes, A Adds the file lz4_x86.dll"="12/19/2018 12:23 PM, 98584 bytes, A Adds the file msdia140.dll"="12/19/2018 12:23 PM, 1081656 bytes, A Adds the file rsEngineFW_x86.dll"="12/19/2018 12:23 PM, 88856 bytes, A Adds the file rsEnginePM_x86.dll"="12/19/2018 12:23 PM, 190744 bytes, A Adds the file rsLggrServer_x86.dll"="12/19/2018 12:23 PM, 569344 bytes, A Adds the file System.Data.SQLite.dll"="12/19/2018 12:23 PM, 1209624 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Segurazo Adds the file Segurazo Antivirus.lnk"="7/19/2019 9:38 AM, 1055 bytes, A Adds the folder C:\ProgramData\Segurazo Adds the file SegurazoEngine.dll"="3/18/2019 4:02 PM, 3877288 bytes, A Adds the file SegurazoIC.exe"="3/18/2019 4:03 PM, 542120 bytes, A Adds the file SegurazoWD.config"="7/19/2019 9:49 AM, 1 bytes, A Adds the file SegurazoWD.exe"="3/18/2019 4:03 PM, 38312 bytes, A Adds the file SegurazoWD.exe.config"="1/30/2019 6:58 PM, 427 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\segurazoclient Adds the file segurazoclientConfig.xml"="7/19/2019 9:46 AM, 1178 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\SegurazoShellExtension.FileContextMenuExt] "(Default)"="REG_SZ", "{BFD98515-CD74-48A4-98E2-13D209E3EE4F}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\ShellEx\ContextMenuHandlers\SegurazoShellExtension.FileContextMenuExt] "(Default)"="REG_SZ", "{BFD98515-CD74-48A4-98E2-13D209E3EE4F}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BFD98515-CD74-48A4-98E2-13D209E3EE4F}] "(Default)"="REG_SZ", "SegurazoShellExtension.FileContextMenuExt Class" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BFD98515-CD74-48A4-98E2-13D209E3EE4F}\InprocServer32] "(Default)"="REG_SZ", "C:\Program Files (x86)\Segurazo\SegurazoShell64_v1069.dll" "ThreadingModel"="REG_SZ", "Apartment" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\SegurazoShellExtension.FileContextMenuExt] "(Default)"="REG_SZ", "{BFD98515-CD74-48A4-98E2-13D209E3EE4F}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\SegurazoShellExtension.FileContextMenuExt] "(Default)"="REG_SZ", "{BFD98515-CD74-48A4-98E2-13D209E3EE4F}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SegurazoShellExtension.FileContextMenuExt] "(Default)"="REG_SZ", "{BFD98515-CD74-48A4-98E2-13D209E3EE4F}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\*\shellex\ContextMenuHandlers\SegurazoShellExtension.FileContextMenuExt] "(Default)"="REG_SZ", "{BFD98515-CD74-48A4-98E2-13D209E3EE4F}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.lnk\shellex\ContextMenuHandlers\SegurazoShellExtension.FileContextMenuExt] "(Default)"="REG_SZ", "{BFD98515-CD74-48A4-98E2-13D209E3EE4F}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory\shellex\ContextMenuHandlers\SegurazoShellExtension.FileContextMenuExt] "(Default)"="REG_SZ", "{BFD98515-CD74-48A4-98E2-13D209E3EE4F}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\Folder\shellex\ContextMenuHandlers\SegurazoShellExtension.FileContextMenuExt] "(Default)"="REG_SZ", "{BFD98515-CD74-48A4-98E2-13D209E3EE4F}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\lnkfile\shellex\ContextMenuHandlers\SegurazoShellExtension.FileContextMenuExt] "(Default)"="REG_SZ", "{BFD98515-CD74-48A4-98E2-13D209E3EE4F}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFD98515-CD74-48A4-98E2-13D209E3EE4F}] "(Default)"="REG_SZ", "SegurazoShellExtension.FileContextMenuExt Class" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFD98515-CD74-48A4-98E2-13D209E3EE4F}\InprocServer32] "(Default)"="REG_SZ", "C:\Program Files (x86)\Segurazo\SegurazoShell86_v1069.dll" "ThreadingModel"="REG_SZ", "Apartment" [HKEY_LOCAL_MACHINE\SOFTWARE\SegOption] "fst"="REG_DWORD", 1 "gui"="REG_DWORD", 42 "guisc"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Segurazo] "FirstRun"="REG_SZ", "7/19/2019 9:38:51 AM" "FSSDT"="REG_SZ", "7/19/2019 9:46:49 AM" "FSSID"="REG_SZ", "abfc197d-3021-42b9-8ca6-5aaa7345b20b" "FSSTIDQuick"="REG_SZ", "abfc197d-3021-42b9-8ca6-5aaa7345b20b" "LSTSCDQuick"="REG_SZ", "7/19/2019 9:46:49 AM" "LSTSCQuick"="REG_SZ", "abfc197d-3021-42b9-8ca6-5aaa7345b20b" "PMDPP"="REG_SZ", "0" "PRSC"="REG_SZ", "0" "PRSD"="REG_SZ", "" "RGUSR"="REG_SZ", "636991259313647198" "ServicePipe"="REG_SZ", "Segurazo1" "SIGLC"="REG_SZ", "7/19/2019 9:40:01 AM" "STATSC"="REG_SZ", "1" "U"="REG_SZ", "4f8dd972-5ca9-45c9-8e9f-ead0fc20f9e0" "UH"="REG_SZ", "6BFC2FFE7B88A3463B117E05B0F0F3D7" "WLLCK"="REG_SZ", "7/19/2019 9:40:02 AM" [HKEY_LOCAL_MACHINE\SOFTWARE\Segurazo\RescanQueue] [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Segurazo] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\Segurazo\uninstaller.ico" "DisplayName"="REG_SZ", "Segurazo Antivirus" "DisplayVersion"="REG_SZ", "1.0.6.9" "EstimatedSize"="REG_DWORD", 25746 "Publisher"="REG_SZ", "Digital Communications Inc" "UninstallString"="REG_SZ", "C:\Program Files (x86)\Segurazo\SegurazoUninstaller.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Segurazo] "FirstRun"="REG_SZ", "7/19/2019 9:38:51 AM" "FSSDT"="REG_SZ", "7/19/2019 9:46:49 AM" "FSSID"="REG_SZ", "abfc197d-3021-42b9-8ca6-5aaa7345b20b" "FSSTIDQuick"="REG_SZ", "abfc197d-3021-42b9-8ca6-5aaa7345b20b" "LSTSCDQuick"="REG_SZ", "7/19/2019 9:46:49 AM" "LSTSCQuick"="REG_SZ", "abfc197d-3021-42b9-8ca6-5aaa7345b20b" "PMDPP"="REG_SZ", "0" "PRSC"="REG_SZ", "0" "PRSD"="REG_SZ", "" "RGUSR"="REG_SZ", "636991259313647198" "SIGLC"="REG_SZ", "7/19/2019 9:40:01 AM" "STATSC"="REG_SZ", "1" "U"="REG_SZ", "4f8dd972-5ca9-45c9-8e9f-ead0fc20f9e0" "UH"="REG_SZ", "6BFC2FFE7B88A3463B117E05B0F0F3D7" "WLLCK"="REG_SZ", "7/19/2019 9:40:02 AM" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SegurazoAntivirus] "InstallEnd"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application] "AutoBackupLogFiles"="REG_DWORD", 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\SegurazoSvc] "EventMessageFile"="REG_EXPAND_SZ, "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EventLogMessages.dll" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Service1] "EventMessageFile"="REG_EXPAND_SZ, "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\EventLogMessages.dll" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SegurazoIC] "DelayedAutostart"="REG_DWORD", 1 "Description"="REG_SZ", "This service protect your pc from viruses and spyware." "DisplayName"="REG_SZ", "SegurazoIC" "ErrorControl"="REG_DWORD", 1 "FailureActions"="REG_BINARY, ............d...d...d. "ImagePath"="REG_EXPAND_SZ, "C:\ProgramData\Segurazo\SegurazoIC.exe -service" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 "WOW64"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SegurazoIC\Security] "Security"="REG_BINARY, ........0................p...."......................... ................................... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SegurazoSvc] "DelayedAutostart"="REG_DWORD", 1 "Description"="REG_SZ", "This service protect your pc from viruses and spyware." "DisplayName"="REG_SZ", "SegurazoSvc" "ErrorControl"="REG_DWORD", 1 "FailureActions"="REG_BINARY, ............d...d...d. "ImagePath"="REG_EXPAND_SZ, "C:\Program Files (x86)\Segurazo\SegurazoService.exe" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 "WOW64"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SegurazoSvc\Security] "Security"="REG_BINARY, ........0................p...."......................... ................................... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SegurazoWD] "DelayedAutostart"="REG_DWORD", 1 "Description"="REG_SZ", "This service protect your pc from viruses and spyware." "DisplayName"="REG_SZ", "SegurazoWD" "ErrorControl"="REG_DWORD", 1 "FailureActions"="REG_BINARY, ............d...d...d. "ImagePath"="REG_EXPAND_SZ, "C:\ProgramData\Segurazo\SegurazoWD.exe" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 "WOW64"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SegurazoWD\Security] "Security"="REG_BINARY, ........0................p...."......................... ................................... Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 7/19/19 Scan Time: 11:36 AM Log File: c06d0aca-aa08-11e9-929a-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.586 Update Package Version: 1.0.11626 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: METALLICA-PC\Metallica -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236547 Threats Detected: 96 Threats Quarantined: 96 Time Elapsed: 7 min, 26 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 3 PUP.Optional.Segurazo, C:\PROGRAMDATA\SEGURAZO\SEGURAZOIC.EXE, Quarantined, [1510], [709536],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\SegurazoService.exe, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\ProgramData\Segurazo\SegurazoWD.exe, Quarantined, [1510], [709093],1.0.11626 Module: 5 PUP.Optional.Segurazo, C:\PROGRAMDATA\SEGURAZO\SEGURAZOIC.EXE, Quarantined, [1510], [709536],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\SegurazoEngine.dll, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\SegurazoService.exe, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\ProgramData\Segurazo\SegurazoEngine.dll, Quarantined, [1510], [709093],1.0.11626 PUP.Optional.Segurazo, C:\ProgramData\Segurazo\SegurazoWD.exe, Quarantined, [1510], [709093],1.0.11626 Registry Key: 29 PUP.Optional.Segurazo, HKLM\SOFTWARE\WOW6432NODE\Segurazo, Quarantined, [1510], [709100],1.0.11626 PUP.Optional.Segurazo, HKLM\SOFTWARE\CLASSES\CLSID\{BFD98515-CD74-48A4-98E2-13D209E3EE4F}, Quarantined, [1510], [709095],1.0.11626 PUP.Optional.Segurazo, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{BFD98515-CD74-48A4-98E2-13D209E3EE4F}\InprocServer32, Quarantined, [1510], [709095],1.0.11626 PUP.Optional.Segurazo, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{BFD98515-CD74-48A4-98E2-13D209E3EE4F}, Quarantined, [1510], [709095],1.0.11626 PUP.Optional.Segurazo, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{BFD98515-CD74-48A4-98E2-13D209E3EE4F}\InprocServer32, Quarantined, [1510], [709095],1.0.11626 PUP.Optional.Segurazo, HKLM\SOFTWARE\CLASSES\CLSID\{BFD98515-CD74-48A4-98E2-13D209E3EE4F}\InprocServer32, Quarantined, [1510], [709095],1.0.11626 PUP.Optional.Segurazo, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{BFD98515-CD74-48A4-98E2-13D209E3EE4F}, Quarantined, [1510], [709095],1.0.11626 PUP.Optional.Segurazo, HKLM\SOFTWARE\WOW6432NODE\SegurazoAntivirus, Quarantined, [1510], [709101],1.0.11626 PUP.Optional.Segurazo, HKLM\SOFTWARE\Segurazo, Quarantined, [1510], [709100],1.0.11626 PUP.Optional.Segurazo, HKLM\SOFTWARE\MICROSOFT\TRACING\segurazoclient_RASAPI32, Quarantined, [1510], [709099],1.0.11626 PUP.Optional.Segurazo, HKLM\SOFTWARE\CLASSES\.LNK\SHELLEX\CONTEXTMENUHANDLERS\SegurazoShellExtension.FileContextMenuExt, Quarantined, [1510], [709528],1.0.11626 PUP.Optional.Segurazo, HKLM\SOFTWARE\CLASSES\*\SHELLEX\CONTEXTMENUHANDLERS\SegurazoShellExtension.FileContextMenuExt, Quarantined, [1510], [709528],1.0.11626 PUP.Optional.Segurazo, HKLM\SOFTWARE\CLASSES\FOLDER\SHELLEX\CONTEXTMENUHANDLERS\SegurazoShellExtension.FileContextMenuExt, Quarantined, [1510], [709097],1.0.11626 PUP.Optional.Segurazo, HKLM\SOFTWARE\MICROSOFT\TRACING\segurazoclient_RASMANCS, Quarantined, [1510], [709099],1.0.11626 PUP.Optional.Segurazo, HKLM\SOFTWARE\CLASSES\LNKFILE\SHELLEX\CONTEXTMENUHANDLERS\SegurazoShellExtension.FileContextMenuExt, Quarantined, [1510], [709098],1.0.11626 PUP.Optional.Segurazo, HKLM\SOFTWARE\CLASSES\DIRECTORY\SHELLEX\CONTEXTMENUHANDLERS\SegurazoShellExtension.FileContextMenuExt, Quarantined, [1510], [709096],1.0.11626 PUP.Optional.Segurazo, HKLM\SOFTWARE\MICROSOFT\TRACING\SegurazoService_RASAPI32, Quarantined, [1510], [709099],1.0.11626 PUP.Optional.Segurazo, HKLM\SOFTWARE\CLASSES\SYSTEMFILEASSOCIATIONS\*\SHELLEX\CONTEXTMENUHANDLERS\SegurazoShellExtension.FileContextMenuExt, Quarantined, [1510], [709530],1.0.11626 PUP.Optional.Segurazo, HKLM\SOFTWARE\MICROSOFT\TRACING\SegurazoService_RASMANCS, Quarantined, [1510], [709099],1.0.11626 PUP.Optional.Segurazo, HKLM\SOFTWARE\CLASSES\SYSTEMFILEASSOCIATIONS\DIRECTORY\SHELLEX\CONTEXTMENUHANDLERS\SegurazoShellExtension.FileContextMenuExt, Quarantined, [1510], [709530],1.0.11626 PUP.Optional.Segurazo, HKLM\SOFTWARE\CLASSES\SYSTEMFILEASSOCIATIONS\.LNK\SHELLEX\CONTEXTMENUHANDLERS\SegurazoShellExtension.FileContextMenuExt, Quarantined, [1510], [709530],1.0.11626 PUP.Optional.Segurazo, HKLM\SOFTWARE\MICROSOFT\TRACING\SegurazoWD_RASAPI32, Quarantined, [1510], [709099],1.0.11626 PUP.Optional.Segurazo, HKLM\SOFTWARE\MICROSOFT\TRACING\SegurazoWD_RASMANCS, Quarantined, [1510], [709099],1.0.11626 PUP.Optional.Segurazo, HKLM\SOFTWARE\CLASSES\SYSTEMFILEASSOCIATIONS\LNKFILE\SHELLEX\CONTEXTMENUHANDLERS\SegurazoShellExtension.FileContextMenuExt, Quarantined, [1510], [709530],1.0.11626 PUP.Optional.Segurazo, HKLM\SOFTWARE\CLASSES\SYSTEMFILEASSOCIATIONS\FOLDER\SHELLEX\CONTEXTMENUHANDLERS\SegurazoShellExtension.FileContextMenuExt, Quarantined, [1510], [709530],1.0.11626 PUP.Optional.Segurazo, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SegurazoIC, Quarantined, [1510], [709536],1.0.11626 PUP.Optional.Segurazo, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SegurazoSvc, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Segurazo, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SegurazoWD, Quarantined, [1510], [709093],1.0.11626 Registry Value: 3 PUP.Optional.Segurazo, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{BFD98515-CD74-48A4-98E2-13D209E3EE4F}|, Quarantined, [1510], [709095],1.0.11626 PUP.Optional.Segurazo, HKLM\SOFTWARE\CLASSES\CLSID\{BFD98515-CD74-48A4-98E2-13D209E3EE4F}|, Quarantined, [1510], [709095],1.0.11626 PUP.Optional.Segurazo, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{BFD98515-CD74-48A4-98E2-13D209E3EE4F}|, Quarantined, [1510], [709095],1.0.11626 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 8 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\amd64, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\Cache, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\x64, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\x86, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\PROGRAM FILES (X86)\SEGURAZO, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SEGURAZO, Quarantined, [1510], [709092],1.0.11626 PUP.Optional.Segurazo, C:\PROGRAMDATA\SEGURAZO, Quarantined, [1510], [709093],1.0.11626 PUP.Optional.Segurazo, C:\USERS\METALLICA\APPDATA\ROAMING\SEGURAZOCLIENT, Quarantined, [1510], [709094],1.0.11626 File: 48 PUP.Optional.Segurazo, C:\PROGRAM FILES (X86)\SEGURAZO\SEGURAZOSHELL64_V1069.DLL, Quarantined, [1510], [709095],1.0.11626 PUP.Optional.Segurazo, C:\PROGRAM FILES (X86)\SEGURAZO\SEGURAZOSHELL86_V1069.DLL, Quarantined, [1510], [709095],1.0.11626 PUP.Optional.Segurazo, C:\PROGRAMDATA\SEGURAZO\SEGURAZOIC.EXE, Quarantined, [1510], [709536],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\amd64\KernelTraceControl.dll, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\amd64\msdia140.dll, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\x64\7z64.dll, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\x64\ext_x64.dll, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\x64\lz4_x64.dll, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\x64\rsEngineFW_x64.dll, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\x64\rsEnginePM_x64.dll, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\x64\rsLggrServer_x64.dll, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\x64\System.Data.SQLite.dll, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\x86\7z86.dll, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\x86\ext_x86.dll, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\x86\KernelTraceControl.dll, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\x86\lz4_x86.dll, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\x86\msdia140.dll, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\x86\rsEngineFW_x86.dll, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\x86\rsEnginePM_x86.dll, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\x86\rsLggrServer_x86.dll, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\x86\System.Data.SQLite.dll, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\SegurazoService.exe.config, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\Errors.dat, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\ExclusionsList.dat, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\Microsoft.Diagnostics.Tracing.TraceEvent.dll, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\Microsoft.Win32.TaskScheduler.dll, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\rsEngine.config, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\rsEngine.dll, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\rsEngineHelper.exe, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\rsEngineHelper.exe.config, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\rsEngineSDK.dll, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\SegurazoClient.exe, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\SegurazoClient.exe.config, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\SegurazoEngine.dll, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\SegurazoService.config, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\SegurazoService.exe, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\SegurazoTools.dll, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\SegurazoUninstaller.exe, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\SegurazoUninstaller.exe.config, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\System.Threading.dll, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\Program Files (x86)\Segurazo\uninstaller.ico, Quarantined, [1510], [709091],1.0.11626 PUP.Optional.Segurazo, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Segurazo\Segurazo Antivirus.lnk, Quarantined, [1510], [709092],1.0.11626 PUP.Optional.Segurazo, C:\ProgramData\Segurazo\SegurazoEngine.dll, Quarantined, [1510], [709093],1.0.11626 PUP.Optional.Segurazo, C:\ProgramData\Segurazo\SegurazoWD.config, Quarantined, [1510], [709093],1.0.11626 PUP.Optional.Segurazo, C:\ProgramData\Segurazo\SegurazoWD.exe, Quarantined, [1510], [709093],1.0.11626 PUP.Optional.Segurazo, C:\ProgramData\Segurazo\SegurazoWD.exe.config, Quarantined, [1510], [709093],1.0.11626 PUP.Optional.Segurazo, C:\Users\Metallica\AppData\Roaming\segurazoclient\segurazoclientConfig.xml, Quarantined, [1510], [709094],1.0.11626 PUP.Optional.Segurazo, C:\USERS\METALLICA\DESKTOP\SEGURAZOSETUP.EXE, Quarantined, [1510], [709102],1.0.11626 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  22. What is Advance PC Solutions?The Malwarebytes research team has determined that Advance PC Solutions is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with Advance PC Solutions?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see this warning during install:and this type of screens during "operations":and this one when you try to uninstall it:Cancel stops the uninstall procedureYou may see this entry in your list of installed programs:and this task in your list of Scheduled Tasks:How did Advance PC Solutions get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove Advance PC Solutions?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Advance PC Solutions? No, Malwarebytes removes Advance PC Solutions completely. This PUP creates a scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the Advance PC Solutions installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: (Econosoft Global Services PTE. LTD. -> Econosoft Global Services Pte. Ltd.) C:\Program Files (x86)\Advance PC Solutions\advpcsolutions.exe Task: {498806A4-6594-4208-A5C8-AFEFACBC03C2} - System32\Tasks\Advance PC Solutions => C:\Program Files (x86)\Advance PC Solutions\advpcsolutions.exe [3197744 2019-06-07] (Econosoft Global Services PTE. LTD. -> Econosoft Global Services Pte. Ltd.) S2 COMServices; C:\Program Files (x86)\Advance PC Solutions\svc//COMServices.exe [X] C:\Windows\System32\Tasks\Advance PC Solutions C:\Users\{username}\AppData\Roaming\Advance PC Solutions C:\Users\{username}\Downloads\Trojan.Worm.766726.msh C:\Users\Public\Desktop\Advance PC Solutions.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advance PC Solutions C:\Program Files (x86)\Advance PC Solutions (Econosoft Global Services Pte. Ltd. ) C:\Users\{username}\Desktop\advpcsolutions.exe Advance PC Solutions (HKLM-x32\...\{487A114A-1C46-40A3-8528-E7BFA8DA23F5}}_is1) (Version: 1.0 - Econosoft Global Services Pte. Ltd.) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\Advance PC Solutions Adds the file advpcsolutions.exe"="6/7/2019 6:35 PM, 3197744 bytes, A Adds the file Interop.NATUPNPLib.dll"="4/19/2018 12:25 PM, 7168 bytes, A Adds the file Interop.NETCONLib.dll"="4/19/2018 12:25 PM, 9728 bytes, A Adds the file Interop.NetFwTypeLib.dll"="4/19/2018 12:25 PM, 19456 bytes, A Adds the file Interop.Shell32.dll"="4/19/2018 12:25 PM, 36864 bytes, A Adds the file Interop.WUApiLib.dll"="4/19/2018 12:25 PM, 73728 bytes, A Adds the file ksb.bat"="8/8/2018 9:05 PM, 208 bytes, A Adds the file logo.ico"="6/7/2019 5:40 PM, 38078 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="4/19/2018 12:31 PM, 171008 bytes, A Adds the file SharpCompress.dll"="4/19/2018 12:35 PM, 418304 bytes, A Adds the file Sys_Trace.xml"="4/19/2018 12:45 PM, 46 bytes, A Adds the file System.Data.SQLite.dll"="4/19/2018 12:45 PM, 353280 bytes, A Adds the file System.Data.SQLite.xml"="4/19/2018 12:45 PM, 1051056 bytes, A Adds the file unins000.dat"="7/16/2019 3:33 PM, 65210 bytes, A Adds the file unins000.exe"="7/16/2019 3:33 PM, 749360 bytes, A Adds the file unins000.msg"="7/16/2019 3:33 PM, 11581 bytes, A Adds the file WpfAnimatedGif.dll"="4/19/2018 12:20 PM, 28160 bytes, A Adds the file WPFToolkit.dll"="4/19/2018 12:20 PM, 467288 bytes, A Adds the folder C:\Program Files (x86)\Advance PC Solutions\Backup Adds the folder C:\Program Files (x86)\Advance PC Solutions\de Adds the folder C:\Program Files (x86)\Advance PC Solutions\en Adds the file advpcsolutions.resources.dll"="6/7/2019 6:35 PM, 27136 bytes, A Adds the file sharkpcprotector.resources.dll"="6/6/2019 7:58 PM, 27136 bytes, A Adds the folder C:\Program Files (x86)\Advance PC Solutions\ja-jp Adds the folder C:\Program Files (x86)\Advance PC Solutions\uni Adds the file System.Data.SQLite.dll"="4/19/2018 12:45 PM, 353280 bytes, A Adds the file System.Data.SQLite.xml"="4/19/2018 12:45 PM, 1051056 bytes, A Adds the file Uninstaller.exe"="6/7/2019 6:36 PM, 565552 bytes, A Adds the folder C:\Program Files (x86)\Advance PC Solutions\x64 Adds the file SQLite.Interop.dll"="4/19/2018 12:45 PM, 1534464 bytes, A Adds the folder C:\Program Files (x86)\Advance PC Solutions\x86 Adds the file SQLite.Interop.dll"="4/19/2018 12:45 PM, 1149440 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advance PC Solutions Adds the file Advance PC Solutions.lnk"="7/16/2019 3:33 PM, 1239 bytes, A Adds the file Uninstall Advance PC Solutions.lnk"="7/16/2019 3:33 PM, 1209 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Advance PC Solutions\PC Repair Online\Backup Adds the folder C:\Users\{username}\AppData\Roaming\Advance PC Solutions\PC Repair Online\setting Adds the file pbp_sett.ash"="7/16/2019 3:38 PM, 102400 bytes, A In the existing folder C:\Users\{username}\Downloads Adds the file Trojan.Worm.766726.msh"="7/12/2019 7:38 PM, 259 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file Advance PC Solutions.lnk"="7/16/2019 3:33 PM, 1221 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Advance PC Solutions"="7/16/2019 3:34 PM, 3252 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\FT\APS\Activation] "Insdate"="REG_SZ", "bT4B7QSKGCb4ucK62vNZOMHNveNFYjZ6nQbe74oEyQs=" "language"="REG_SZ", "en" "languageindex"="REG_SZ", "0" "lap"="REG_SZ", "51sws36QDBIEpDKEpyQ4sx2f9tVRgx9Of8bohj9PQ64=" "lbp"="REG_SZ", "51sws36QDBIEpDKEpyQ4sx2f9tVRgx9Of8bohj9PQ64=" "lr"="REG_SZ", "BK6W2BzUuxwDEqiqBeww2i6RrUgYZvNul7b4vvyk4+Q=" "lsp"="REG_SZ", "51sws36QDBIEpDKEpyQ4sx2f9tVRgx9Of8bohj9PQ64=" "PN"="REG_SZ", "+1(888)200-8889" "Program"="REG_SZ", "Advance PC Solutions" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\FT\APS\Activation] "IsTrack"="REG_SZ", "1" "language"="REG_SZ", "en" "languageindex"="REG_SZ", "0" "Program"="REG_SZ", "Advance PC Solutions" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{487A114A-1C46-40A3-8528-E7BFA8DA23F5}}_is1] "Comments"="REG_SZ", "Advance PC Solutions" "Contact"="REG_SZ", "0800-183-3940" "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\Advance PC Solutions\logo.ico" "DisplayName"="REG_SZ", "Advance PC Solutions" "DisplayVersion"="REG_SZ", "1.0" "EstimatedSize"="REG_DWORD", 13892 "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\Advance PC Solutions" "Inno Setup: Icon Group"="REG_SZ", "Advance PC Solutions" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.6 (a)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20190716" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\Advance PC Solutions\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Econosoft Global Services Pte. Ltd." "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\Advance PC Solutions\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\Advance PC Solutions\unins000.exe"" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\COMServices] "DisplayName"="REG_SZ", "COMServices" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, "C:\Program Files (x86)\Advance PC Solutions\svc//COMServices.exe" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Advance PC Solutions"="REG_SZ", ""C:\Program Files (x86)\Advance PC Solutions\ksb.bat"" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 7/17/19 Scan Time: 8:58 AM Log File: 5051be92-a860-11e9-bd41-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.586 Update Package Version: 1.0.11590 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236319 Threats Detected: 65 Threats Quarantined: 65 Time Elapsed: 6 min, 18 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\advpcsolutions.exe, Quarantined, [4459], [708750],1.0.11590 Module: 2 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\x64\SQLite.Interop.dll, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\advpcsolutions.exe, Quarantined, [4459], [708750],1.0.11590 Registry Key: 5 PUP.Optional.AdvancePCSolutions, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\ADVANCE PC SOLUTIONS, Quarantined, [4459], [708758],1.0.11590 PUP.Optional.AdvancePCSolutions, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{D9DB24FA-EB4C-4A3B-84D2-52829E523B2E}, Quarantined, [4459], [708758],1.0.11590 PUP.Optional.AdvancePCSolutions, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\BOOT\{D9DB24FA-EB4C-4A3B-84D2-52829E523B2E}, Quarantined, [4459], [708758],1.0.11590 PUP.Optional.AdvancePCSolutions, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\COMSERVICES, Quarantined, [4459], [708757],1.0.11590 PUP.Optional.AdvancePCSolutions, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{487A114A-1C46-40A3-8528-E7BFA8DA23F5}}_is1, Quarantined, [4459], [708750],1.0.11590 Registry Value: 3 PUP.Optional.AdvancePCSolutions, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{D9DB24FA-EB4C-4A3B-84D2-52829E523B2E}|PATH, Quarantined, [4459], [708755],1.0.11590 PUP.Optional.AdvancePCSolutions, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\COMSERVICES|IMAGEPATH, Quarantined, [4459], [708757],1.0.11590 PUP.Optional.AdvancePCSolutions, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Advance PC Solutions, Quarantined, [4459], [708750],1.0.11590 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 14 PUP.Optional.AdvancePCSolutions, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ADVANCE PC SOLUTIONS, Quarantined, [4459], [708752],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\uni\ja-jp, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\uni\x64, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\uni\x86, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\Backup, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\uni\de, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\uni\en, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\ja-jp, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\uni, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\x64, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\x86, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\de, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\en, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\PROGRAM FILES (X86)\ADVANCE PC SOLUTIONS, Quarantined, [4459], [708750],1.0.11590 File: 40 PUP.Optional.AdvancePCSolutions, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ADVANCE PC SOLUTIONS\UNINSTALL ADVANCE PC SOLUTIONS.LNK, Quarantined, [4459], [708752],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advance PC Solutions\Advance PC Solutions.lnk, Quarantined, [4459], [708752],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\WINDOWS\SYSTEM32\TASKS\ADVANCE PC SOLUTIONS, Quarantined, [4459], [708758],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\USERS\PUBLIC\DESKTOP\ADVANCE PC SOLUTIONS.LNK, Quarantined, [4459], [708754],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\PROGRAM FILES (X86)\ADVANCE PC SOLUTIONS\UNINS000.MSG, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\de\advpcsolutions.resources.dll, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\de\sharkpcprotector.resources.dll, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\en\advpcsolutions.resources.dll, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\en\sharkpcprotector.resources.dll, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\ja-jp\advpcsolutions.resources.dll, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\ja-jp\sharkpcprotector.resources.dll, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\uni\de\Uninstaller.resources.dll, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\uni\en\Uninstaller.resources.dll, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\uni\ja-jp\Uninstaller.resources.dll, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\uni\x64\SQLite.Interop.dll, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\uni\x86\SQLite.Interop.dll, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\uni\System.Data.SQLite.dll, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\uni\System.Data.SQLite.xml, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\uni\Uninstaller.exe, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\x64\SQLite.Interop.dll, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\x86\SQLite.Interop.dll, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\logo.ico, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\advpcsolutions.exe, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\Interop.NATUPNPLib.dll, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\Interop.NETCONLib.dll, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\Interop.NetFwTypeLib.dll, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\Interop.Shell32.dll, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\Interop.WUApiLib.dll, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\ksb.bat, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\Microsoft.Win32.TaskScheduler.dll, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\SharpCompress.dll, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\System.Data.SQLite.dll, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\System.Data.SQLite.xml, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\Sys_Trace.xml, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\unins000.dat, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\unins000.exe, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\WpfAnimatedGif.dll, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\Program Files (x86)\Advance PC Solutions\WPFToolkit.dll, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\Advance PC Solutions.lnk, Quarantined, [4459], [708750],1.0.11590 PUP.Optional.AdvancePCSolutions, C:\USERS\{username}\DESKTOP\ADVANCE PC SOLUTIONS.EXE, Quarantined, [4459], [708749],1.0.11590 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  23. What is ImSearch?The Malwarebytes research team has determined that ImSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one redirects search results from major search engines to their own sites.How do I know if my computer is affected by ImSearch?You may see this entry in your list of installed Chrome extensions:and these warnings during install:How did ImSearch get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove ImSearch?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of ImSearch? No, Malwarebytes removes ImSearch completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the ImSearch hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR Extension: (ImSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcllfdmfkiplpbjepgicpancileobcoj [2019-07-16] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcllfdmfkiplpbjepgicpancileobcoj\2.9_0 Adds the file background.js"="4/27/2019 2:39 AM, 5680 bytes, A Adds the file manifest.json"="7/16/2019 9:05 AM, 7260 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcllfdmfkiplpbjepgicpancileobcoj\2.9_0\_metadata Adds the file computed_hashes.json"="7/16/2019 9:05 AM, 404 bytes, A Adds the file verified_contents.json"="7/14/2019 7:55 PM, 1645 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcllfdmfkiplpbjepgicpancileobcoj\2.9_0\icons Adds the file icon128.png"="7/16/2019 9:05 AM, 2188 bytes, A Adds the file icon48.png"="7/16/2019 9:05 AM, 253 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kcllfdmfkiplpbjepgicpancileobcoj Adds the file 000003.log"="7/16/2019 9:07 AM, 80 bytes, A Adds the file CURRENT"="7/16/2019 9:05 AM, 16 bytes, A Adds the file LOCK"="7/16/2019 9:05 AM, 0 bytes, A Adds the file LOG"="7/16/2019 9:05 AM, 183 bytes, A Adds the file MANIFEST-000001"="7/16/2019 9:05 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kcllfdmfkiplpbjepgicpancileobcoj Adds the file ImSearch.ico"="7/16/2019 9:05 AM, 162813 bytes, A Adds the file ImSearch.ico.md5"="7/16/2019 9:05 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "kcllfdmfkiplpbjepgicpancileobcoj"="REG_SZ", "35ABFC34B0DB0BF1F08CC94E5EB39C2FA7497ABF4A1D0CDADF9B58151B4068C5" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 7/16/19 Scan Time: 9:12 AM Log File: 24b1d938-a799-11e9-94ca-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.586 Update Package Version: 1.0.11572 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236169 Threats Detected: 20 Threats Quarantined: 20 Time Elapsed: 6 min, 55 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.QXSearch, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|kcllfdmfkiplpbjepgicpancileobcoj, Quarantined, [352], [676735],1.0.11572 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 5 PUP.Optional.QXSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\kcllfdmfkiplpbjepgicpancileobcoj, Quarantined, [352], [676735],1.0.11572 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcllfdmfkiplpbjepgicpancileobcoj\2.9_0\_metadata, Quarantined, [352], [676735],1.0.11572 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcllfdmfkiplpbjepgicpancileobcoj\2.9_0\icons, Quarantined, [352], [676735],1.0.11572 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcllfdmfkiplpbjepgicpancileobcoj\2.9_0, Quarantined, [352], [676735],1.0.11572 PUP.Optional.QXSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KCLLFDMFKIPLPBJEPGICPANCILEOBCOJ, Quarantined, [352], [676735],1.0.11572 File: 14 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kcllfdmfkiplpbjepgicpancileobcoj\000003.log, Quarantined, [352], [676735],1.0.11572 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kcllfdmfkiplpbjepgicpancileobcoj\CURRENT, Quarantined, [352], [676735],1.0.11572 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kcllfdmfkiplpbjepgicpancileobcoj\LOCK, Quarantined, [352], [676735],1.0.11572 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kcllfdmfkiplpbjepgicpancileobcoj\LOG, Quarantined, [352], [676735],1.0.11572 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kcllfdmfkiplpbjepgicpancileobcoj\LOG.old, Quarantined, [352], [676735],1.0.11572 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kcllfdmfkiplpbjepgicpancileobcoj\MANIFEST-000001, Quarantined, [352], [676735],1.0.11572 PUP.Optional.QXSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [352], [676735],1.0.11572 PUP.Optional.QXSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [352], [676735],1.0.11572 PUP.Optional.QXSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KCLLFDMFKIPLPBJEPGICPANCILEOBCOJ\2.9_0\MANIFEST.JSON, Quarantined, [352], [676735],1.0.11572 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcllfdmfkiplpbjepgicpancileobcoj\2.9_0\icons\icon128.png, Quarantined, [352], [676735],1.0.11572 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcllfdmfkiplpbjepgicpancileobcoj\2.9_0\icons\icon48.png, Quarantined, [352], [676735],1.0.11572 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcllfdmfkiplpbjepgicpancileobcoj\2.9_0\_metadata\computed_hashes.json, Quarantined, [352], [676735],1.0.11572 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcllfdmfkiplpbjepgicpancileobcoj\2.9_0\_metadata\verified_contents.json, Quarantined, [352], [676735],1.0.11572 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcllfdmfkiplpbjepgicpancileobcoj\2.9_0\background.js, Quarantined, [352], [676735],1.0.11572 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  24. What is VideoConverterHD?The Malwarebytes research team has determined that VideoConverterHD is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.VideoConverterHD is a member of the Mindspark/Ask family now known as IAC Applications.How do I know if my computer is affected by VideoConverterHD?You may see these browser extensions/add-ons:these warnings during install:You may see this entry in your list of installed software:and this new homepage in the affected browsers:How did VideoConverterHD get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website.and the Chrome extension was also available in the webstore:How do I remove VideoConverterHD?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of VideoConverterHD? No, Malwarebytes' Anti-Malware removes VideoConverterHD completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the VideoConverterHD hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains.Technical details for expertsPossible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/videoconverterhd/ttab02/index.html?n={n}&p2={p2}TAB02&ptb={ptb}&coid={coid} FF HomepageOverride: Mozilla\Firefox\Profiles\{profile}.default -> Enabled: _l1Members_@www.videoconverterhd.com FF NewTabOverride: Mozilla\Firefox\Profiles\{profile}.default -> Enabled: _l1Members_@www.videoconverterhd.com FF Extension: (VideoConverterHD) - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_l1Members_@www.videoconverterhd.com.xpi [2019-07-15] [UpdateUrl:hxxps:\/\/updates.tb.ask.com\/updateXpi.json?id=234873107&version=8.901.15.24481&track=TTAB02&trackRevision=1&fromId=_l1Members_%40www.videoconverterhd.com&isBridgeExtension=false] CHR NewTab: Default -> Active:"chrome-extension://glohakccicfcgpelekfpgllfnlameopo/newtabpage.html" CHR Extension: (VideoConverterHD) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo [2019-07-15] C:\Users\{username}\AppData\Local\VideoConverterHDTooltab VideoConverterHD Internet Explorer Homepage and New Tab (HKCU\...\VideoConverterHDTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0 Adds the file manifest.json"="7/15/2019 9:21 AM, 2700 bytes, A Adds the file newtabpage.html"="4/30/2019 4:52 PM, 1349 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\_locales\en Adds the file messages.json"="7/15/2019 9:21 AM, 185 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\_metadata Adds the file computed_hashes.json"="7/15/2019 9:21 AM, 5638 bytes, A Adds the file verified_contents.json"="4/30/2019 4:52 PM, 6147 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\config Adds the file config.json"="4/30/2019 4:52 PM, 1573 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\icons Adds the file icon128.png"="7/15/2019 9:21 AM, 14132 bytes, A Adds the file icon16.png"="4/30/2019 4:52 PM, 1728 bytes, A Adds the file icon19disabled.png"="4/30/2019 4:52 PM, 1803 bytes, A Adds the file icon19on.png"="7/15/2019 9:21 AM, 1136 bytes, A Adds the file icon48.png"="7/15/2019 9:21 AM, 4043 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\js Adds the file ajax.js"="4/30/2019 4:52 PM, 3263 bytes, A Adds the file babAPI.js"="4/30/2019 4:52 PM, 5703 bytes, A Adds the file babClickHandler.js"="4/30/2019 4:52 PM, 11414 bytes, A Adds the file babContentScript.js"="4/30/2019 4:52 PM, 3275 bytes, A Adds the file babContentScriptAPI.js"="4/30/2019 4:52 PM, 5934 bytes, A Adds the file background.js"="4/30/2019 4:52 PM, 22384 bytes, A Adds the file browserUtils.js"="4/30/2019 4:52 PM, 1532 bytes, A Adds the file chrome.js"="4/30/2019 4:52 PM, 146 bytes, A Adds the file contentScriptConnectionManager.js"="4/30/2019 4:52 PM, 22629 bytes, A Adds the file dateTimeUtils.js"="4/30/2019 4:52 PM, 1213 bytes, A Adds the file dlp.js"="4/30/2019 4:52 PM, 5815 bytes, A Adds the file dlpHelper.js"="4/30/2019 4:52 PM, 1835 bytes, A Adds the file extensionDetect.js"="4/30/2019 4:52 PM, 4354 bytes, A Adds the file index.js"="4/30/2019 4:52 PM, 49 bytes, A Adds the file localStorageContentScript.js"="4/30/2019 4:52 PM, 2236 bytes, A Adds the file logger.js"="4/30/2019 4:52 PM, 516 bytes, A Adds the file meta.js"="4/30/2019 4:52 PM, 513 bytes, A Adds the file offerService.js"="4/30/2019 4:52 PM, 16950 bytes, A Adds the file pageUtils.js"="4/30/2019 4:52 PM, 3574 bytes, A Adds the file PartnerId.js"="4/30/2019 4:52 PM, 16402 bytes, A Adds the file polyfill.js"="4/30/2019 4:52 PM, 875 bytes, A Adds the file product.js"="4/30/2019 4:52 PM, 8604 bytes, A Adds the file remoteConfigLoader.js"="4/30/2019 4:52 PM, 4961 bytes, A Adds the file splashPageLocalStorageSetter.js"="4/30/2019 4:52 PM, 88 bytes, A Adds the file splashPageRedirectHandler.js"="4/30/2019 4:52 PM, 2868 bytes, A Adds the file storageUtils.js"="4/30/2019 4:52 PM, 1718 bytes, A Adds the file TemplateParser.js"="4/30/2019 4:52 PM, 3153 bytes, A Adds the file ul.js"="4/30/2019 4:52 PM, 3969 bytes, A Adds the file urlFragmentActions.js"="4/30/2019 4:52 PM, 2498 bytes, A Adds the file urlUtils.js"="4/30/2019 4:52 PM, 5906 bytes, A Adds the file util.js"="4/30/2019 4:52 PM, 2779 bytes, A Adds the file webtooltabAPI.js"="4/30/2019 4:52 PM, 9768 bytes, A Adds the file webTooltabAPIProxy.js"="4/30/2019 4:52 PM, 7589 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\glohakccicfcgpelekfpgllfnlameopo Adds the file 000003.log"="7/15/2019 9:21 AM, 5696 bytes, A Adds the file CURRENT"="7/15/2019 9:21 AM, 16 bytes, A Adds the file LOCK"="7/15/2019 9:21 AM, 0 bytes, A Adds the file LOG"="7/15/2019 9:21 AM, 185 bytes, A Adds the file MANIFEST-000001"="7/15/2019 9:21 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\VideoConverterHDTooltab Adds the file TooltabExtension.dll"="4/30/2019 10:52 PM, 266864 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _l1Members_@www.videoconverterhd.com.xpi"="7/15/2019 9:18 AM, 90834 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "glohakccicfcgpelekfpgllfnlameopo"="REG_SZ", "90B1D92C007BE81ADC2C93B67A1BB64624B21AB4EA08DD74F1C440EBC2E96537" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://hp.myway.com/videoconverterhd/ttab02/index.html?n={n}&p2={p2}TAB02&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\VideoConverterHDTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "VideoConverterHD Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\VideoConverterHDTooltab\TooltabExtension.dll" U uninstall:VideoConverterHD" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" [HKEY_CURRENT_USER\Software\VideoConverterHD] "Start Page"="REG_SZ", "http://hp.myway.com/videoconverterhd/ttab02/index.html?n={n}&p2={p2}TAB02&ptb={ptb}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "https://@{downloadDomain}.dl.myway.com/uninstall.jhtml?surveyUrl=http%3A%2F%2Fwww.research.net%2Fr%2FM%3Fc%3D{ptb}%26ptb%3D^CRE^mni000^TTAB02" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 7/15/19 Scan Time: 9:29 AM Log File: 54157044-a6d2-11e9-9eb5-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.586 Update Package Version: 1.0.11552 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236165 Threats Detected: 71 Threats Quarantined: 71 Time Elapsed: 6 min, 30 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\VideoConverterHDTooltab\TooltabExtension.dll, Quarantined, [1758], [356944],1.0.11552 Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\VideoConverterHDTooltab Uninstall Internet Explorer, Quarantined, [1758], [356944],1.0.11552 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\VideoConverterHD, Quarantined, [1758], [444113],1.0.11552 Registry Value: 3 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\VideoConverterHD|START PAGE, Quarantined, [1758], [444113],1.0.11552 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\VideoConverterHDTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, [635], [352442],1.0.11552 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|glohakccicfcgpelekfpgllfnlameopo, Quarantined, [1758], [443121],1.0.11552 Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [635], [293497],1.0.11552 Data Stream: 0 (No malicious items detected) Folder: 10 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\VideoConverterHDTooltab, Quarantined, [1758], [356944],1.0.11552 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\glohakccicfcgpelekfpgllfnlameopo, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\_locales\en, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\_metadata, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\_locales, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\config, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\icons, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\js, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GLOHAKCCICFCGPELEKFPGLLFNLAMEOPO, Quarantined, [1758], [443121],1.0.11552 File: 54 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\VideoConverterHDTooltab\TooltabExtension.dll, Quarantined, [1758], [356944],1.0.11552 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\_l1Members_@www.videoconverterhd.com.xpi, Quarantined, [1758], [457930],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\glohakccicfcgpelekfpgllfnlameopo\000003.log, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\glohakccicfcgpelekfpgllfnlameopo\CURRENT, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\glohakccicfcgpelekfpgllfnlameopo\LOCK, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\glohakccicfcgpelekfpgllfnlameopo\LOG, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\glohakccicfcgpelekfpgllfnlameopo\MANIFEST-000001, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GLOHAKCCICFCGPELEKFPGLLFNLAMEOPO\13.870.15.24468_0\MANIFEST.JSON, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\config\config.json, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\icons\icon128.png, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\icons\icon16.png, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\icons\icon19disabled.png, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\icons\icon19on.png, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\icons\icon48.png, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\js\meta.js, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\js\ajax.js, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\js\babAPI.js, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\js\babClickHandler.js, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\js\babContentScript.js, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\js\babContentScriptAPI.js, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\js\background.js, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\js\browserUtils.js, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\js\chrome.js, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\js\contentScriptConnectionManager.js, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\js\dateTimeUtils.js, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\js\dlp.js, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\js\dlpHelper.js, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\js\extensionDetect.js, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\js\index.js, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\js\localStorageContentScript.js, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\js\logger.js, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\js\offerService.js, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\js\pageUtils.js, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\js\PartnerId.js, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\js\polyfill.js, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\js\product.js, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\js\remoteConfigLoader.js, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\js\splashPageLocalStorageSetter.js, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\js\splashPageRedirectHandler.js, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\js\storageUtils.js, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\js\TemplateParser.js, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\js\ul.js, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\js\urlFragmentActions.js, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\js\urlUtils.js, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\js\util.js, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\js\webtooltabAPI.js, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\js\webTooltabAPIProxy.js, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\_locales\en\messages.json, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\_metadata\computed_hashes.json, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\_metadata\verified_contents.json, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glohakccicfcgpelekfpgllfnlameopo\13.870.15.24468_0\newtabpage.html, Quarantined, [1758], [443121],1.0.11552 PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\VIDEOCONVERTERHD.EXE, Quarantined, [635], [365288],1.0.11552 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  25. What is APSearch?The Malwarebytes research team has determined that APSearch is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one redirects the searches of the most popualr search engine to a site of their own.How do I know if my computer is affected by APSearch?You may see this entry in your list of installed Chrome extensions:and these warnings during install:How did APSearch get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove APSearch?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of APSearch? No, Malwarebytes removes APSearch completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the APSearch hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR Extension: (APSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhilifbgiamnlhfdmihfbamjbhhhonjp [2019-07-12] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhilifbgiamnlhfdmihfbamjbhhhonjp\3.9_0 Adds the file background.js"="7/10/2019 2:43 PM, 6680 bytes, A Adds the file manifest.json"="7/12/2019 8:43 AM, 7351 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhilifbgiamnlhfdmihfbamjbhhhonjp\3.9_0\_metadata Adds the file computed_hashes.json"="7/12/2019 8:43 AM, 404 bytes, A Adds the file verified_contents.json"="7/10/2019 2:42 PM, 1645 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhilifbgiamnlhfdmihfbamjbhhhonjp\3.9_0\icons Adds the file icon128.png"="7/12/2019 8:43 AM, 2188 bytes, A Adds the file icon48.png"="7/12/2019 8:43 AM, 253 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhilifbgiamnlhfdmihfbamjbhhhonjp Adds the file 000003.log"="7/12/2019 8:45 AM, 99 bytes, A Adds the file CURRENT"="7/12/2019 8:43 AM, 16 bytes, A Adds the file LOCK"="7/12/2019 8:43 AM, 0 bytes, A Adds the file LOG"="7/12/2019 8:43 AM, 183 bytes, A Adds the file MANIFEST-000001"="7/12/2019 8:43 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_nhilifbgiamnlhfdmihfbamjbhhhonjp Adds the file APSearch.ico"="7/12/2019 8:43 AM, 162813 bytes, A Adds the file APSearch.ico.md5"="7/12/2019 8:43 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "nhilifbgiamnlhfdmihfbamjbhhhonjp"="REG_SZ", "EB8D4E10636890E38F7E62AB62FE8BC1ED3A653E73CE4BBEEDA66975B2616206" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 7/12/19 Scan Time: 8:53 AM Log File: b57283b2-a471-11e9-9afc-00ffdcc6fdfc.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.586 Update Package Version: 1.0.11516 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236236 Threats Detected: 19 Threats Quarantined: 19 Time Elapsed: 5 min, 51 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.QXSearch, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|nhilifbgiamnlhfdmihfbamjbhhhonjp, Quarantined, [351], [676735],1.0.11516 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 5 PUP.Optional.QXSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\nhilifbgiamnlhfdmihfbamjbhhhonjp, Quarantined, [351], [676735],1.0.11516 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhilifbgiamnlhfdmihfbamjbhhhonjp\3.9_0\_metadata, Quarantined, [351], [676735],1.0.11516 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhilifbgiamnlhfdmihfbamjbhhhonjp\3.9_0\icons, Quarantined, [351], [676735],1.0.11516 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhilifbgiamnlhfdmihfbamjbhhhonjp\3.9_0, Quarantined, [351], [676735],1.0.11516 PUP.Optional.QXSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\NHILIFBGIAMNLHFDMIHFBAMJBHHHONJP, Quarantined, [351], [676735],1.0.11516 File: 13 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhilifbgiamnlhfdmihfbamjbhhhonjp\000003.log, Quarantined, [351], [676735],1.0.11516 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhilifbgiamnlhfdmihfbamjbhhhonjp\CURRENT, Quarantined, [351], [676735],1.0.11516 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhilifbgiamnlhfdmihfbamjbhhhonjp\LOCK, Quarantined, [351], [676735],1.0.11516 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhilifbgiamnlhfdmihfbamjbhhhonjp\LOG, Quarantined, [351], [676735],1.0.11516 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhilifbgiamnlhfdmihfbamjbhhhonjp\MANIFEST-000001, Quarantined, [351], [676735],1.0.11516 PUP.Optional.QXSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [351], [676735],1.0.11516 PUP.Optional.QXSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [351], [676735],1.0.11516 PUP.Optional.QXSearch, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\NHILIFBGIAMNLHFDMIHFBAMJBHHHONJP\3.9_0\MANIFEST.JSON, Quarantined, [351], [676735],1.0.11516 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhilifbgiamnlhfdmihfbamjbhhhonjp\3.9_0\icons\icon128.png, Quarantined, [351], [676735],1.0.11516 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhilifbgiamnlhfdmihfbamjbhhhonjp\3.9_0\icons\icon48.png, Quarantined, [351], [676735],1.0.11516 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhilifbgiamnlhfdmihfbamjbhhhonjp\3.9_0\_metadata\computed_hashes.json, Quarantined, [351], [676735],1.0.11516 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhilifbgiamnlhfdmihfbamjbhhhonjp\3.9_0\_metadata\verified_contents.json, Quarantined, [351], [676735],1.0.11516 PUP.Optional.QXSearch, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhilifbgiamnlhfdmihfbamjbhhhonjp\3.9_0\background.js, Quarantined, [351], [676735],1.0.11516 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.