Jump to content

Metallica

Staff
  • Content Count

    2,286
  • Joined

  • Last visited

Everything posted by Metallica

  1. What is mixGames Search?The Malwarebytes research team has determined that mixGames Search is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by mixGames Search?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and this changed setting:How did mixGames Search get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove mixGames Search?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of mixGames Search? No, Malwarebytes removes mixGames Search completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the mixGames Search hijacker. It would have blocked their notifications service, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxp://games.searchalgo.com/search/?category=web&s=xgds&q={searchTerms} CHR DefaultSearchKeyword: Default -> mixGames CHR DefaultSuggestURL: Default -> hxxp://sug.searchalgo.com/search/index_sg.php?q={searchTerms} CHR Extension: (mixGames Search) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcboafodfidhkjhhagekcbeepegnccha [2019-02-15] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcboafodfidhkjhhagekcbeepegnccha\1.0.0_0 Adds the file background.js"="2/22/2016 7:34 PM, 4336 bytes, A Adds the file manifest.json"="2/15/2019 8:48 AM, 1797 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcboafodfidhkjhhagekcbeepegnccha\1.0.0_0\_metadata Adds the file computed_hashes.json"="2/15/2019 8:48 AM, 183 bytes, A Adds the file verified_contents.json"="2/22/2016 7:51 PM, 1648 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcboafodfidhkjhhagekcbeepegnccha\1.0.0_0\icons Adds the file icon128.png"="2/15/2019 8:48 AM, 9579 bytes, A Adds the file icon16.png"="2/15/2019 8:48 AM, 637 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "kcboafodfidhkjhhagekcbeepegnccha"="REG_SZ", "7F4395AA55C2A03E3A5A8BE2113C18F11F89D281466C449A996239D2C59E2F5B" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/15/19 Scan Time: 8:56 AM Log File: 40f0053e-30f7-11e9-86b0-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.9276 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236112 Threats Detected: 15 Threats Quarantined: 15 Time Elapsed: 3 min, 52 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SearchAlgo.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|kcboafodfidhkjhhagekcbeepegnccha, Quarantined, [14646], [443230],1.0.9276 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 4 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcboafodfidhkjhhagekcbeepegnccha\1.0.0_0\_metadata, Quarantined, [14646], [443230],1.0.9276 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcboafodfidhkjhhagekcbeepegnccha\1.0.0_0\icons, Quarantined, [14646], [443230],1.0.9276 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcboafodfidhkjhhagekcbeepegnccha\1.0.0_0, Quarantined, [14646], [443230],1.0.9276 PUP.Optional.SearchAlgo.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KCBOAFODFIDHKJHHAGEKCBEEPEGNCCHA, Quarantined, [14646], [443230],1.0.9276 File: 10 PUP.Optional.SearchAlgo.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [14646], [443230],1.0.9276 PUP.Optional.SearchAlgo.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [14646], [443230],1.0.9276 PUP.Optional.SearchAlgo.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KCBOAFODFIDHKJHHAGEKCBEEPEGNCCHA\1.0.0_0\MANIFEST.JSON, Quarantined, [14646], [443230],1.0.9276 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcboafodfidhkjhhagekcbeepegnccha\1.0.0_0\icons\icon128.png, Quarantined, [14646], [443230],1.0.9276 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcboafodfidhkjhhagekcbeepegnccha\1.0.0_0\icons\icon16.png, Quarantined, [14646], [443230],1.0.9276 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcboafodfidhkjhhagekcbeepegnccha\1.0.0_0\_metadata\computed_hashes.json, Quarantined, [14646], [443230],1.0.9276 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcboafodfidhkjhhagekcbeepegnccha\1.0.0_0\_metadata\verified_contents.json, Quarantined, [14646], [443230],1.0.9276 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcboafodfidhkjhhagekcbeepegnccha\1.0.0_0\background.js, Quarantined, [14646], [443230],1.0.9276 PUP.Optional.SearchAlgo, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [351], [454816],1.0.9276 PUP.Optional.SearchAlgo, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [351], [454816],1.0.9276 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  2. What is My Sport Tab?The Malwarebytes research team has determined that My Sport Tab is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.My Sport Tab is a member of the APN family now known as IAC Applications.How do I know if my computer is affected by My Sport Tab?You may see these browser extensions/add-ons:these warnings during install:You may see this changed setting:this icon in the browsers menu-bar:and this new homepage in the affected browsers:How did My Sport Tab get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website.after a redirect to the webstore:How do I remove My Sport Tab?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of My Sport Tab? No, Malwarebytes' Anti-Malware removes My Sport Tab completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the My Sport Tab hijacker. It would have blocked their notifications service, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in a FRST log: CHR NewTab: Default -> Active:"chrome-extension://cpbogamaeokccmfbaclibdjjnjlpkill/newtabproduct.html" CHR Extension: (MySportTab) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill [2019-02-14] Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0 Adds the file manifest.json"="2/14/2019 9:14 AM, 2387 bytes, A Adds the file newtabproduct.html"="10/18/2018 5:24 PM, 1210 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\_locales\en Adds the file messages.json"="2/14/2019 9:14 AM, 251 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\_metadata Adds the file computed_hashes.json"="2/14/2019 9:14 AM, 4560 bytes, A Adds the file verified_contents.json"="10/18/2018 5:24 PM, 5403 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\config Adds the file config.json"="10/18/2018 5:24 PM, 2049 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\icons Adds the file icon128.png"="2/14/2019 9:14 AM, 4986 bytes, A Adds the file icon16.png"="10/18/2018 5:24 PM, 412 bytes, A Adds the file icon19disabled.png"="10/18/2018 5:24 PM, 371 bytes, A Adds the file icon19on.png"="2/14/2019 9:14 AM, 580 bytes, A Adds the file icon48.png"="2/14/2019 9:14 AM, 1997 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js Adds the file ajax.js"="10/18/2018 5:24 PM, 2218 bytes, A Adds the file b2b-partner-tracking.js"="10/18/2018 5:24 PM, 11186 bytes, A Adds the file background.js"="10/18/2018 5:24 PM, 21476 bytes, A Adds the file browserUtils.js"="10/18/2018 5:24 PM, 912 bytes, A Adds the file chrome.js"="10/18/2018 5:24 PM, 146 bytes, A Adds the file content_script.js"="10/18/2018 5:24 PM, 2151 bytes, A Adds the file dlp.js"="10/18/2018 5:24 PM, 5659 bytes, A Adds the file dlpHelper.js"="10/18/2018 5:24 PM, 1799 bytes, A Adds the file extension_detect.js"="10/18/2018 5:24 PM, 4299 bytes, A Adds the file genericLoadRemoteSettings.js"="10/18/2018 5:24 PM, 2855 bytes, A Adds the file index.js"="10/18/2018 5:24 PM, 49 bytes, A Adds the file initOfferCEF.js"="10/18/2018 5:24 PM, 8802 bytes, A Adds the file logger.js"="10/18/2018 5:24 PM, 541 bytes, A Adds the file offerService.js"="10/18/2018 5:24 PM, 10325 bytes, A Adds the file pageUtils.js"="10/18/2018 5:24 PM, 2805 bytes, A Adds the file PartnerId.js"="10/18/2018 5:24 PM, 16402 bytes, A Adds the file product.js"="10/18/2018 5:24 PM, 8403 bytes, A Adds the file splashPageRedirectHandler.js"="10/18/2018 5:24 PM, 2868 bytes, A Adds the file storage.js"="10/18/2018 5:24 PM, 1640 bytes, A Adds the file TabManager.js"="10/18/2018 5:24 PM, 151 bytes, A Adds the file TemplateParser.js"="10/18/2018 5:24 PM, 3038 bytes, A Adds the file ul.js"="10/18/2018 5:24 PM, 3832 bytes, A Adds the file urlFragmentActions.js"="10/18/2018 5:24 PM, 1825 bytes, A Adds the file urlUtils.js"="10/18/2018 5:24 PM, 5349 bytes, A Adds the file util.js"="10/18/2018 5:24 PM, 3004 bytes, A Adds the file webtooltabAPI.js"="10/18/2018 5:24 PM, 8721 bytes, A Adds the file webTooltabAPIProxy.js"="10/18/2018 5:24 PM, 5445 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpbogamaeokccmfbaclibdjjnjlpkill Adds the file 000003.log"="2/14/2019 9:14 AM, 5351 bytes, A Adds the file CURRENT"="2/14/2019 9:14 AM, 16 bytes, A Adds the file LOCK"="2/14/2019 9:14 AM, 0 bytes, A Adds the file LOG"="2/14/2019 9:14 AM, 184 bytes, A Adds the file MANIFEST-000001"="2/14/2019 9:14 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "cpbogamaeokccmfbaclibdjjnjlpkill"="REG_SZ", "896FE33B1C7541398512D772773A6115630DCFB13CAF62DFD078E86E80C358F4" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/14/19 Scan Time: 9:25 AM Log File: 11825bc8-3032-11e9-97a2-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.9260 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235954 Threats Detected: 55 Threats Quarantined: 55 Time Elapsed: 4 min, 5 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.MySearch.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|cpbogamaeokccmfbaclibdjjnjlpkill, Quarantined, [1881], [443097],1.0.9260 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 9 PUP.Optional.MySearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\cpbogamaeokccmfbaclibdjjnjlpkill, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\_locales\en, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\_metadata, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\_locales, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\config, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\icons, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CPBOGAMAEOKCCMFBACLIBDJJNJLPKILL, Quarantined, [1881], [443097],1.0.9260 File: 45 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpbogamaeokccmfbaclibdjjnjlpkill\000003.log, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpbogamaeokccmfbaclibdjjnjlpkill\CURRENT, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpbogamaeokccmfbaclibdjjnjlpkill\LOCK, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpbogamaeokccmfbaclibdjjnjlpkill\LOG, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpbogamaeokccmfbaclibdjjnjlpkill\MANIFEST-000001, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CPBOGAMAEOKCCMFBACLIBDJJNJLPKILL\13.817.14.15106_0\MANIFEST.JSON, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\config\config.json, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\icons\icon128.png, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\icons\icon16.png, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\icons\icon19disabled.png, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\icons\icon19on.png, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\icons\icon48.png, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\initOfferCEF.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\ajax.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\b2b-partner-tracking.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\background.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\browserUtils.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\chrome.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\content_script.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\dlp.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\dlpHelper.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\extension_detect.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\genericLoadRemoteSettings.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\index.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\logger.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\offerService.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\pageUtils.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\PartnerId.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\product.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\splashPageRedirectHandler.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\storage.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\TabManager.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\TemplateParser.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\ul.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\urlFragmentActions.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\urlUtils.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\util.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\webtooltabAPI.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\js\webTooltabAPIProxy.js, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\_locales\en\messages.json, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\_metadata\computed_hashes.json, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\_metadata\verified_contents.json, Quarantined, [1881], [443097],1.0.9260 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpbogamaeokccmfbaclibdjjnjlpkill\13.817.14.15106_0\newtabproduct.html, Quarantined, [1881], [443097],1.0.9260 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  3. What is Catalina?The Malwarebytes research team has determined that Catalina is a potentially unwanted program (PUP) that behaves like adware. These adware applications display advertisements not originating from the sites you are browsing.How do I know if my computer is affected by Catalina?You may see these warnings during install:these icons in your startmenu, your taskbar and on your desktop:these tasks in your Scheduled Tasks:and this entry in your list of installed Programs and Features:How did Catalina get on my computer?Adware applications use different methods for distributing themselves. This particular one was installed by a bundler.In this case with the Citrio browser:How do I remove Catalina?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Catalina? No, Malwarebytes removes Catalina completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. Malwarebytes does not remove the Citrio browser. If you want to remove it, you can uninstall that from the Windows Control Panel. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this adware.As you can see below the full version of Malwarebytes would have protected you against the Catalina adware. It would have blocked the installer before it became too late. Technical details for expertsPossible signs in FRST logs: HKCU\...\Run: [CatalinaGroup Update] => C:\Users\{username}\AppData\Local\CatalinaGroup\Update\CatalinaUpdate.exe [132104 2019-02-13] (Catalina Group Limited -> Catalina Group Ltd.) <==== ATTENTION FF Plugin HKCU: @catalinahub.net/CatalinaGroup Update;version=3 -> C:\Users\{username}\AppData\Local\CatalinaGroup\Update\1.3.25.225\npCatalinaUpdate3.dll [2019-02-13] (Catalina Group Ltd.) FF Plugin HKCU: @catalinahub.net/CatalinaGroup Update;version=9 -> C:\Users\{username}\AppData\Local\CatalinaGroup\Update\1.3.25.225\npCatalinaUpdate3.dll [2019-02-13] (Catalina Group Ltd.) C:\Users\{username}\Desktop\Chrome Web Store.lnk C:\Users\{username}\Desktop\Facebook.lnk C:\Users\{username}\Desktop\YouTube.lnk C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Citrio.lnk C:\Users\{username}\Desktop\Citrio.lnk C:\Windows\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}UA.job C:\Windows\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}Core.job C:\Users\{username}\AppData\Local\CatalinaGroup C:\Windows\System32\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}UA C:\Windows\System32\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}Core C:\Users\{username}\AppData\Local\CatalinaGroup\Update\CatalinaUpdate.exe Citrio (HKCU\...\Citrio) (Version: 50.0.2661.276 - © Catalinagroup Ltd.) <==== ATTENTION Task: {18948E4E-B2F0-4193-BCD3-984AB9734C95} - System32\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}UA => C:\Users\{username}\AppData\Local\CatalinaGroup\Update\CatalinaUpdate.exe (Catalina Group Limited -> Catalina Group Ltd.) [File not signed] <==== ATTENTION Task: {467A2CF4-D247-447D-9C6F-0F2E9E5F9BB6} - System32\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}Core => C:\Users\{username}\AppData\Local\CatalinaGroup\Update\CatalinaUpdate.exe (Catalina Group Limited -> Catalina Group Ltd.) [File not signed] <==== ATTENTION Task: C:\Windows\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}Core.job => C:\Users\{username}\AppData\Local\CatalinaGroup\Update\CatalinaUpdate.exe <==== ATTENTION Task: C:\Windows\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}UA.job => C:\Users\{username}\AppData\Local\CatalinaGroup\Update\CatalinaUpdate.exe <==== ATTENTION ShortcutWithArgument: C:\Users\{username}\Desktop\Facebook.lnk -> C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\Application\citrio.exe (CatalinaGroup Ltd.) -> "hxxp://www.facebook.com" ShortcutWithArgument: C:\Users\{username}\Desktop\YouTube.lnk -> C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\Application\citrio.exe (CatalinaGroup Ltd.) -> "hxxp://www.youtube.com" FirewallRules: [{E73D6DA6-FC7D-4EBA-8C14-BBAA3BFDD8FD}] => (Allow) C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\Application\citrio.exe (Catalina Group Limited -> CatalinaGroup Ltd.) Significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\Application Adds the file chrome.VisualElementsManifest.xml"="2/13/2019 10:26 AM, 342 bytes, A Adds the file citrio.exe"="5/31/2017 6:03 AM, 1083264 bytes, A Adds the file debug.log"="2/13/2019 10:26 AM, 258 bytes, A Adds the folder C:\Users\{username}\AppData\Local\CatalinaGroup\CrashReports Adds the folder C:\Users\{username}\AppData\Local\CatalinaGroup\Update Adds the file CatalinaUpdate.exe"="2/13/2019 10:25 AM, 132104 bytes, A Adds the folder C:\Users\{username}\AppData\Local\CatalinaGroup\Update\1.3.25.225 Adds the file CatalinaCrashHandler.exe"="2/13/2019 10:25 AM, 132104 bytes, A Adds the file CatalinaUpdate.exe"="2/13/2019 10:25 AM, 132104 bytes, A Adds the file CatalinaUpdateBroker.exe"="2/13/2019 10:25 AM, 59912 bytes, A Adds the file CatalinaUpdateHelper.msi"="2/13/2019 10:25 AM, 40960 bytes, A Adds the file CatalinaUpdateOnDemand.exe"="2/13/2019 10:25 AM, 59912 bytes, A Adds the file goopdate.dll"="2/13/2019 10:25 AM, 802312 bytes, A Adds the file goopdateres_am.dll"="2/13/2019 10:25 AM, 24072 bytes, A Adds the file goopdateres_ar.dll"="2/13/2019 10:25 AM, 25608 bytes, A Adds the file goopdateres_bg.dll"="2/13/2019 10:25 AM, 29192 bytes, A Adds the file goopdateres_bn.dll"="2/13/2019 10:25 AM, 28168 bytes, A Adds the file goopdateres_ca.dll"="2/13/2019 10:25 AM, 28680 bytes, A Adds the file goopdateres_cs.dll"="2/13/2019 10:25 AM, 27656 bytes, A Adds the file goopdateres_da.dll"="2/13/2019 10:25 AM, 28168 bytes, A Adds the file goopdateres_de.dll"="2/13/2019 10:25 AM, 30216 bytes, A Adds the file goopdateres_el.dll"="2/13/2019 10:25 AM, 29704 bytes, A Adds the file goopdateres_en.dll"="2/13/2019 10:25 AM, 26632 bytes, A Adds the file goopdateres_en-GB.dll"="2/13/2019 10:25 AM, 27144 bytes, A Adds the file goopdateres_es.dll"="2/13/2019 10:25 AM, 30216 bytes, A Adds the file goopdateres_es-419.dll"="2/13/2019 10:25 AM, 28168 bytes, A Adds the file goopdateres_et.dll"="2/13/2019 10:25 AM, 27144 bytes, A Adds the file goopdateres_fa.dll"="2/13/2019 10:25 AM, 26632 bytes, A Adds the file goopdateres_fi.dll"="2/13/2019 10:25 AM, 28168 bytes, A Adds the file goopdateres_fil.dll"="2/13/2019 10:25 AM, 29192 bytes, A Adds the file goopdateres_fr.dll"="2/13/2019 10:25 AM, 29704 bytes, A Adds the file goopdateres_gu.dll"="2/13/2019 10:25 AM, 28168 bytes, A Adds the file goopdateres_hi.dll"="2/13/2019 10:25 AM, 28168 bytes, A Adds the file goopdateres_hr.dll"="2/13/2019 10:25 AM, 28680 bytes, A Adds the file goopdateres_hu.dll"="2/13/2019 10:25 AM, 28680 bytes, A Adds the file goopdateres_id.dll"="2/13/2019 10:25 AM, 27144 bytes, A Adds the file goopdateres_is.dll"="2/13/2019 10:25 AM, 27656 bytes, A Adds the file goopdateres_it.dll"="2/13/2019 10:25 AM, 29704 bytes, A Adds the file goopdateres_iw.dll"="2/13/2019 10:25 AM, 25096 bytes, A Adds the file goopdateres_ja.dll"="2/13/2019 10:25 AM, 23560 bytes, A Adds the file goopdateres_kn.dll"="2/13/2019 10:25 AM, 28680 bytes, A Adds the file goopdateres_ko.dll"="2/13/2019 10:25 AM, 23048 bytes, A Adds the file goopdateres_lt.dll"="2/13/2019 10:25 AM, 27144 bytes, A Adds the file goopdateres_lv.dll"="2/13/2019 10:25 AM, 29192 bytes, A Adds the file goopdateres_ml.dll"="2/13/2019 10:25 AM, 30728 bytes, A Adds the file goopdateres_mr.dll"="2/13/2019 10:25 AM, 27656 bytes, A Adds the file goopdateres_ms.dll"="2/13/2019 10:25 AM, 27656 bytes, A Adds the file goopdateres_nl.dll"="2/13/2019 10:25 AM, 29192 bytes, A Adds the file goopdateres_no.dll"="2/13/2019 10:25 AM, 28168 bytes, A Adds the file goopdateres_pl.dll"="2/13/2019 10:25 AM, 29192 bytes, A Adds the file goopdateres_pt-BR.dll"="2/13/2019 10:25 AM, 28168 bytes, A Adds the file goopdateres_pt-PT.dll"="2/13/2019 10:25 AM, 28168 bytes, A Adds the file goopdateres_ro.dll"="2/13/2019 10:25 AM, 28680 bytes, A Adds the file goopdateres_ru.dll"="2/13/2019 10:25 AM, 27656 bytes, A Adds the file goopdateres_sk.dll"="2/13/2019 10:25 AM, 28680 bytes, A Adds the file goopdateres_sl.dll"="2/13/2019 10:25 AM, 28680 bytes, A Adds the file goopdateres_sr.dll"="2/13/2019 10:25 AM, 28168 bytes, A Adds the file goopdateres_sv.dll"="2/13/2019 10:25 AM, 28168 bytes, A Adds the file goopdateres_sw.dll"="2/13/2019 10:25 AM, 28168 bytes, A Adds the file goopdateres_ta.dll"="2/13/2019 10:25 AM, 29192 bytes, A Adds the file goopdateres_te.dll"="2/13/2019 10:25 AM, 28168 bytes, A Adds the file goopdateres_th.dll"="2/13/2019 10:25 AM, 26632 bytes, A Adds the file goopdateres_tr.dll"="2/13/2019 10:25 AM, 28168 bytes, A Adds the file goopdateres_uk.dll"="2/13/2019 10:25 AM, 27656 bytes, A Adds the file goopdateres_ur.dll"="2/13/2019 10:25 AM, 27656 bytes, A Adds the file goopdateres_vi.dll"="2/13/2019 10:25 AM, 27144 bytes, A Adds the file goopdateres_zh-CN.dll"="2/13/2019 10:25 AM, 21000 bytes, A Adds the file goopdateres_zh-TW.dll"="2/13/2019 10:25 AM, 21000 bytes, A Adds the file npCatalinaUpdate3.dll"="2/13/2019 10:25 AM, 237576 bytes, A Adds the file psmachine.dll"="2/13/2019 10:25 AM, 156680 bytes, A Adds the file psuser.dll"="2/13/2019 10:25 AM, 162824 bytes, A Adds the folder C:\Users\{username}\AppData\Local\CatalinaGroup\Update\Download\{92F8A219-E740-49D5-B785-B962AD819724}\50.0.2661.276 Adds the file citrio_50.0.2661.276_1.exe"="6/1/2017 10:00 AM, 59432320 bytes, A Adds the folder C:\Users\{username}\AppData\Local\CatalinaGroup\Update\Install\{5066949F-6C76-4D2D-B5F4-9BA14B8C062B} Adds the file citrio_50.0.2661.276_1.exe"="6/1/2017 10:00 AM, 59432320 bytes, A Adds the folder C:\Users\{username}\AppData\Local\CatalinaGroup\Update\Offline\{BD55EF3F-9661-4327-B056-D2D1C9BD36F7} In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch Adds the file Citrio.lnk"="2/13/2019 10:26 AM, 2455 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar Adds the file Citrio.lnk"="2/13/2019 10:26 AM, 2478 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs Adds the file Citrio.lnk"="2/13/2019 10:26 AM, 2478 bytes, A In the existing folder C:\Users\{username}\Desktop Adds the file Chrome Web Store.lnk"="2/13/2019 10:26 AM, 2533 bytes, A Adds the file Citrio.lnk"="2/13/2019 10:26 AM, 2453 bytes, A Adds the file Facebook.lnk"="2/13/2019 10:26 AM, 2493 bytes, A Adds the file YouTube.lnk"="2/13/2019 10:26 AM, 2489 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}Core"="2/13/2019 10:25 AM, 3540 bytes, A Adds the file CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}UA"="2/13/2019 10:25 AM, 3936 bytes, A In the existing folder C:\Windows\Tasks Adds the file CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}Core.job"="2/13/2019 10:25 AM, 902 bytes, A Adds the file CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}UA.job"="2/13/2019 10:25 AM, 954 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures] "CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}Core.job"="REG_BINARY, ............................$... "CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}Core.job.fp"="REG_DWORD", 1917796137 "CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}UA.job"="REG_BINARY, ................................ "CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}UA.job.fp"="REG_DWORD", 1081281079 [HKEY_CURRENT_USER\Software\CatalinaGroup\CitrioDownloader] [HKEY_CURRENT_USER\Software\CatalinaGroup\Update] "LastInstallerError"="REG_DWORD", 0 "LastInstallerResult"="REG_DWORD", 0 "LastInstallerSuccessLaunchCmdLine"="REG_SZ", ""C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\Application\citrio.exe"" "path"="REG_SZ", "C:\Users\{username}\AppData\Local\CatalinaGroup\Update\CatalinaUpdate.exe" "uid"="REG_SZ", "{6AC4AB17-5F65-4002-8353-583D7EDA74B4}" "version"="REG_SZ", "1.3.25.225" [HKEY_CURRENT_USER\Software\CatalinaGroup\Update\Clients\{0105EA02-802D-4B37-8161-4ED25C493266}] "bt"="REG_SZ", "1" "lang"="REG_SZ", "en" "name"="REG_SZ", "Citrio App Launcher" "oopcrashes"="REG_DWORD", 1 "pv"="REG_SZ", "50.0.2661.276" [HKEY_CURRENT_USER\Software\CatalinaGroup\Update\Clients\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}] "name"="REG_SZ", "Catalina Update" "pv"="REG_SZ", "1.3.25.225" [HKEY_CURRENT_USER\Software\CatalinaGroup\Update\Clients\{92F8A219-E740-49D5-B785-B962AD819724}] "bt"="REG_SZ", "1" "lang"="REG_SZ", "en" "name"="REG_SZ", "Citrio" "oopcrashes"="REG_DWORD", 1 "pv"="REG_SZ", "50.0.2661.276" [HKEY_CURRENT_USER\Software\CatalinaGroup\Update\Clients\{92F8A219-E740-49D5-B785-B962AD819724}\Commands\on-os-upgrade] "AutoRunOnOSUpgrade"="REG_DWORD", 1 "CommandLine"="REG_SZ", ""C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\Application\50.0.2661.276\Installer\setup.exe" --on-os-upgrade --verbose-logging" [HKEY_CURRENT_USER\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}] "brand"="REG_SZ", "GGLS" "iid"="REG_SZ", "{B7A36BE9-E198-4287-9D35-BC1CFD561747}" "InstallTime"="REG_DWORD", 1550049952 "pv"="REG_SZ", "1.3.25.225" [HKEY_CURRENT_USER\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}] "_NumAccounts"="REG_SZ", "1" "_NumSignedIn"="REG_SZ", "0" "brand"="REG_SZ", "GGLS" "bt"="REG_SZ", "1" "dr"="REG_SZ", "1" "iid"="REG_SZ", "{B7A36BE9-E198-4287-9D35-BC1CFD561747}" "InstallTime"="REG_DWORD", 1550049966 "lang"="REG_SZ", "en" "LastCheckSuccess"="REG_DWORD", 1550049978 "LastInstallerError"="REG_DWORD", 0 "LastInstallerResult"="REG_DWORD", 0 "LastInstallerSuccessLaunchCmdLine"="REG_SZ", ""C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\Application\citrio.exe"" "lastrun"="REG_SZ", "13194523582822146" "LastWasDefault"="REG_QWORD, .... "pv"="REG_SZ", "50.0.2661.276" "referral"="REG_SZ", "1:citrio_website" "UninstallArguments"="REG_SZ", " --uninstall" "UninstallString"="REG_SZ", "C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\Application\50.0.2661.276\Installer\setup.exe" "usagestats"="REG_DWORD", 0 [HKEY_CURRENT_USER\Software\CatalinaGroup\Update\network\secure] [HKEY_CURRENT_USER\Software\CatalinaGroup\Update\proxy] "source"="REG_SZ", "IE" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "CatalinaGroup Update"="REG_SZ", ""C:\Users\{username}\AppData\Local\CatalinaGroup\Update\CatalinaUpdate.exe" /c" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio] "DisplayIcon"="REG_SZ", "C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\Application\citrio.exe,0" "DisplayName"="REG_SZ", "Citrio" "DisplayVersion"="REG_SZ", "50.0.2661.276" "InstallDate"="REG_SZ", "20190213" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\Application" "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "© Catalinagroup Ltd." "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\Application\50.0.2661.276\Installer\setup.exe" --uninstall" "Version"="REG_SZ", "50.0.2661.276" "VersionMajor"="REG_DWORD", 2661 "VersionMinor"="REG_DWORD", 276 [HKEY_CURRENT_USER\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=3] "Description"="REG_SZ", "CatalinaGroup Update" "Path"="REG_SZ", "C:\Users\{username}\AppData\Local\CatalinaGroup\Update\1.3.25.225\npCatalinaUpdate3.dll" "ProductName"="REG_SZ", "CatalinaGroup Update" "Vendor"="REG_SZ", "Catalina Group Ltd." "Version"="REG_SZ", "3" [HKEY_CURRENT_USER\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=3\MimeTypes\application/x-vnd.catalinahub.update3webcontrol.3] [HKEY_CURRENT_USER\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=9] "Description"="REG_SZ", "CatalinaGroup Update" "Path"="REG_SZ", "C:\Users\{username}\AppData\Local\CatalinaGroup\Update\1.3.25.225\npCatalinaUpdate3.dll" "ProductName"="REG_SZ", "CatalinaGroup Update" "Vendor"="REG_SZ", "Catalina Group Ltd." "Version"="REG_SZ", "9" [HKEY_CURRENT_USER\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=9\MimeTypes\application/x-vnd.catalinahub.oneclickctrl.9] [HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\User Data\Default\Extensions\dcagnhpbnggmbihndfkkhfjojgbaaedo\1.2.40_0\binaries\win\imageformats] "qico4.dll"="REG_MULTI_SZ, "2017-02-17T13:35:50 ico " [HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.8.false\C:\Users\{username}\AppData\Local\CatalinaGroup\Citrio\User Data\Default\Extensions\dcagnhpbnggmbihndfkkhfjojgbaaedo\1.2.40_0\binaries\win\imageformats] "qico4.dll"="REG_MULTI_SZ, "40806 0 Windows msvc release full-config 2017-02-17T13:35:50 " Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/13/19 Scan Time: 10:34 AM Log File: 99374b67-2f72-11e9-8ffc-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.527 Update Package Version: 1.0.9238 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236076 Threats Detected: 26 Threats Quarantined: 26 Time Elapsed: 4 min, 27 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.Catalina, C:\USERS\{username}\APPDATA\LOCAL\CATALINAGROUP\UPDATE\1.3.25.225\CATALINACRASHHANDLER.EXE, Quarantined, [500], [635491],1.0.9238 Module: 2 PUP.Optional.Catalina, C:\USERS\{username}\APPDATA\LOCAL\CATALINAGROUP\UPDATE\1.3.25.225\GOOPDATE.DLL, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, C:\USERS\{username}\APPDATA\LOCAL\CATALINAGROUP\UPDATE\1.3.25.225\CATALINACRASHHANDLER.EXE, Quarantined, [500], [635491],1.0.9238 Registry Key: 6 PUP.Optional.Catalina, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}Core, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{467A2CF4-D247-447D-9C6F-0F2E9E5F9BB6}, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{467A2CF4-D247-447D-9C6F-0F2E9E5F9BB6}, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}UA, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{18948E4E-B2F0-4193-BCD3-984AB9734C95}, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{18948E4E-B2F0-4193-BCD3-984AB9734C95}, Quarantined, [500], [635491],1.0.9238 Registry Value: 1 PUP.Optional.Catalina, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|CatalinaGroup Update, Quarantined, [500], [635491],1.0.9238 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 16 PUP.Optional.Catalina, C:\USERS\{username}\APPDATA\LOCAL\CATALINAGROUP\UPDATE\1.3.25.225\GOOPDATE.DLL, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, C:\USERS\{username}\APPDATA\LOCAL\CATALINAGROUP\UPDATE\1.3.25.225\CATALINACRASHHANDLER.EXE, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, C:\WINDOWS\TASKS\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}Core.job, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, C:\WINDOWS\SYSTEM32\TASKS\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}Core, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, C:\WINDOWS\TASKS\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}UA.job, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, C:\WINDOWS\SYSTEM32\TASKS\CatalinaGroupUpdateTaskUserS-1-5-21-{userCLSID}UA, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, C:\USERS\{username}\APPDATA\LOCAL\CATALINAGROUP\UPDATE\CATALINAUPDATE.EXE, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, C:\USERS\{username}\DESKTOP\CATALINAUPDATESETUP.EXE, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, C:\USERS\{username}\APPDATA\ROAMING\Microsoft\Internet Explorer\Quick Launch\Citrio.lnk, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, C:\USERS\{username}\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\User Pinned\TaskBar\Citrio.lnk, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, C:\USERS\{username}\APPDATA\ROAMING\Microsoft\Windows\Start Menu\Programs\Citrio.lnk, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, C:\USERS\{username}\DESKTOP\Chrome Web Store.lnk, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, C:\USERS\{username}\DESKTOP\Citrio.lnk, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, C:\USERS\{username}\DESKTOP\Facebook.lnk, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, C:\USERS\{username}\DESKTOP\YouTube.lnk, Quarantined, [500], [635491],1.0.9238 PUP.Optional.Catalina, C:\USERS\{username}\APPDATA\LOCAL\CATALINAGROUP\CITRIO\APPLICATION\CITRIO.EXE, Quarantined, [500], [635491],1.0.9238 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  4. What is Search Secure?The Malwarebytes research team has determined that Search Secure is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Search Secure?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and this changed setting:How did Search Secure get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Search Secure?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Search Secure? No, Malwarebytes removes Search Secure completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Search Secure hijacker. It would have blocked their notifications service, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://www.searchsecureprime.co/search.html?type=search&id=MTI3NT#q={searchTerms} CHR DefaultSearchKeyword: Default -> Yahoo CHR DefaultSuggestURL: Default -> hxxps://www.searchsecureprime.co/sugg/ie?output=fxjson&command={searchTerms}&nResults=10 CHR Extension: (Web) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj [2019-02-12] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0 Adds the file manifest.json"="2/12/2019 11:08 AM, 2208 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\_metadata Adds the file computed_hashes.json"="2/12/2019 11:08 AM, 10670 bytes, A Adds the file verified_contents.json"="1/7/2019 2:40 PM, 7156 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\core Adds the file content.js"="1/7/2019 2:40 PM, 9135 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\block Adds the file block.html"="1/7/2019 2:40 PM, 2076 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\css Adds the file annotations.css"="1/7/2019 2:40 PM, 147281 bytes, A Adds the file blockedPage.css"="1/7/2019 2:40 PM, 4533 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img Adds the file annotations-sprite_new.png"="1/7/2019 2:40 PM, 10135 bytes, A Adds the file at-risk-icon.png"="1/7/2019 2:40 PM, 1247 bytes, A Adds the file bg.jpg"="1/7/2019 2:40 PM, 2614 bytes, A Adds the file btn-search.svg"="1/7/2019 2:40 PM, 675 bytes, A Adds the file caution.png"="1/7/2019 2:40 PM, 2738 bytes, A Adds the file caution_.png"="1/7/2019 2:40 PM, 489 bytes, A Adds the file close-pop.png"="1/7/2019 2:40 PM, 693 bytes, A Adds the file footer-bg1-new.png"="1/7/2019 2:40 PM, 2283 bytes, A Adds the file img-blocked.svg"="1/7/2019 2:40 PM, 364 bytes, A Adds the file layer.png"="1/7/2019 2:40 PM, 30798 bytes, A Adds the file pointer.png"="1/7/2019 2:40 PM, 2699 bytes, A Adds the file popupimage.png"="1/7/2019 2:40 PM, 39964 bytes, A Adds the file safe.png"="1/7/2019 2:40 PM, 3452 bytes, A Adds the file safe_.png"="1/7/2019 2:40 PM, 842 bytes, A Adds the file safe-icon.png"="1/7/2019 2:40 PM, 1251 bytes, A Adds the file search.svg"="1/7/2019 2:40 PM, 332 bytes, A Adds the file searchicon.png"="1/7/2019 2:40 PM, 1425 bytes, A Adds the file search-icon-2.png"="1/7/2019 2:40 PM, 9539 bytes, A Adds the file searchmagnifier.png"="1/7/2019 2:40 PM, 4127 bytes, A Adds the file sf_overlay_sprite.png"="1/7/2019 2:40 PM, 13244 bytes, A Adds the file sf-magni.png"="1/7/2019 2:40 PM, 1433 bytes, A Adds the file sf-sprite.png"="1/7/2019 2:40 PM, 17709 bytes, A Adds the file small-search.png"="1/7/2019 2:40 PM, 3875 bytes, A Adds the file srch.png"="1/7/2019 2:40 PM, 1241 bytes, A Adds the file ss-logo.png"="1/7/2019 2:40 PM, 28412 bytes, A Adds the file tick.png"="1/7/2019 2:40 PM, 2513 bytes, A Adds the file trans1.png"="1/7/2019 2:40 PM, 935 bytes, A Adds the file untested.png"="1/7/2019 2:40 PM, 2705 bytes, A Adds the file untested_.png"="1/7/2019 2:40 PM, 790 bytes, A Adds the file untested-icon.png"="1/7/2019 2:40 PM, 1288 bytes, A Adds the file warning.png"="1/7/2019 2:40 PM, 2909 bytes, A Adds the file warning_.png"="1/7/2019 2:40 PM, 676 bytes, A Adds the file warning-icon.png"="1/7/2019 2:40 PM, 1137 bytes, A Adds the file website.svg"="1/7/2019 2:40 PM, 6696 bytes, A Adds the file welcome-box-bg.png"="1/7/2019 2:40 PM, 45548 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\js Adds the file content-ui.js"="1/7/2019 2:40 PM, 4104 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\popup Adds the file popup.html"="1/7/2019 2:40 PM, 8857 bytes, A Adds the file popup.js"="1/7/2019 2:40 PM, 6948 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\icons Adds the file icon128.png"="2/12/2019 11:08 AM, 5411 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\js Adds the file blockpage.js"="1/7/2019 2:40 PM, 2062 bytes, A Adds the file custombackground.js"="1/7/2019 2:40 PM, 12588 bytes, A Adds the file jquery-3.2.1.min.js"="1/7/2019 2:40 PM, 86659 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\eamojhigmclkheifikgdfnaihmmeaedj Adds the file 000003.log"="2/12/2019 11:20 AM, 2991 bytes, A Adds the file CURRENT"="2/12/2019 11:08 AM, 16 bytes, A Adds the file LOCK"="2/12/2019 11:08 AM, 0 bytes, A Adds the file LOG"="2/12/2019 11:20 AM, 409 bytes, A Adds the file LOG.old"="2/12/2019 11:08 AM, 185 bytes, A Adds the file MANIFEST-000001"="2/12/2019 11:08 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\eamojhigmclkheifikgdfnaihmmeaedj Adds the file 000003.log"="2/12/2019 11:18 AM, 3893 bytes, A Adds the file CURRENT"="2/12/2019 11:18 AM, 16 bytes, A Adds the file LOCK"="2/12/2019 11:18 AM, 0 bytes, A Adds the file LOG"="2/12/2019 11:18 AM, 183 bytes, A Adds the file MANIFEST-000001"="2/12/2019 11:18 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "eamojhigmclkheifikgdfnaihmmeaedj"="REG_SZ", "CD6ACF0592B9DDBBBD42C84385488F522090911D9A11FB24C9EA990F544DE1C2" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/12/19 Scan Time: 11:26 AM Log File: b4ce00c6-2eb0-11e9-b8af-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.9224 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235892 Threats Detected: 79 Threats Quarantined: 79 Time Elapsed: 5 min, 19 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SearchSecure, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|eamojhigmclkheifikgdfnaihmmeaedj, Quarantined, [259], [631847],1.0.9224 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 14 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\block, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\popup, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\css, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\js, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\_metadata, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\icons, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\core, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\js, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\eamojhigmclkheifikgdfnaihmmeaedj, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\eamojhigmclkheifikgdfnaihmmeaedj, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\eamojhigmclkheifikgdfnaihmmeaedj, Quarantined, [259], [631847],1.0.9224 File: 64 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\core\content.js, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\block\block.html, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\css\annotations.css, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\css\blockedPage.css, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\safe_.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\annotations-sprite_new.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\at-risk-icon.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\bg.jpg, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\btn-search.svg, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\caution.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\caution_.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\close-pop.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\footer-bg1-new.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\img-blocked.svg, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\layer.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\pointer.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\popupimage.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\safe-icon.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\safe.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\search-icon-2.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\search.svg, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\searchicon.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\searchmagnifier.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\sf-magni.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\sf-sprite.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\sf_overlay_sprite.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\small-search.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\srch.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\ss-logo.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\tick.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\trans1.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\untested-icon.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\untested.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\untested_.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\warning-icon.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\warning.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\warning_.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\website.svg, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\img\welcome-box-bg.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\js\content-ui.js, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\popup\popup.html, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\homepage\popup\popup.js, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\icons\icon128.png, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\js\blockpage.js, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\js\custombackground.js, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\js\jquery-3.2.1.min.js, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\_metadata\computed_hashes.json, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\_metadata\verified_contents.json, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\eamojhigmclkheifikgdfnaihmmeaedj\2.7.0.23_0\manifest.json, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\eamojhigmclkheifikgdfnaihmmeaedj\000003.log, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\eamojhigmclkheifikgdfnaihmmeaedj\CURRENT, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\eamojhigmclkheifikgdfnaihmmeaedj\LOCK, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\eamojhigmclkheifikgdfnaihmmeaedj\LOG, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\eamojhigmclkheifikgdfnaihmmeaedj\LOG.old, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\eamojhigmclkheifikgdfnaihmmeaedj\MANIFEST-000001, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\eamojhigmclkheifikgdfnaihmmeaedj\000003.log, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\eamojhigmclkheifikgdfnaihmmeaedj\CURRENT, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\eamojhigmclkheifikgdfnaihmmeaedj\LOCK, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\eamojhigmclkheifikgdfnaihmmeaedj\LOG, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\eamojhigmclkheifikgdfnaihmmeaedj\MANIFEST-000001, Quarantined, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [259], [631847],1.0.9224 PUP.Optional.SearchSecure, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [259], [631849],1.0.9224 PUP.Optional.SearchSecure, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [259], [631849],1.0.9224 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  5. What is System Clean Pro?The Malwarebytes research team has determined that System Clean Pro is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with System Clean Pro?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see these warnings during install:and this type of screens during "operations":You may see this entry in your list of installed programs:and this task in your list of Scheduled Tasks:How did System Clean Pro get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove System Clean Pro?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of System Clean Pro? No, Malwarebytes removes System Clean Pro completely. This PUP creates a scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the System Clean Pro installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: () C:\Program Files\System-Clean Pro for {computername}\rtc.exe C:\Windows\System32\Tasks\System-Clean Pro_Logon C:\Users\{username}\AppData\Roaming\System-Clean Pro For {computername} C:\ProgramData\System-Clean Pro for {computername} C:\Users\Public\Desktop\System-Clean Pro.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System-Clean Pro for {computername} C:\Program Files\System-Clean Pro for {computername} System-Clean Pro (HKLM\...\{90017557-79E0-47D6-AAB6-880EF5BC06F9}_is1) (Version: 1.0.0.1 - ) Task: {7B430A13-C971-4F9A-81D1-4AAA9CFECF21} - System32\Tasks\System-Clean Pro_Logon => C:\Program Files\System-Clean Pro for {computername}\rtc.exe (PC Speedup Tools Inc. -> ) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\System-Clean Pro for {computername} Adds the file application.ico"="1/21/2019 3:58 PM, 56150 bytes, A Adds the file danish_iss.ini"="5/16/2018 12:25 PM, 2402 bytes, A Adds the file Dutch_iss.ini"="5/16/2018 12:25 PM, 2600 bytes, A Adds the file english_iss.ini"="5/16/2018 12:25 PM, 2256 bytes, A Adds the file finish_iss.ini"="5/16/2018 12:25 PM, 2368 bytes, A Adds the file French_iss.ini"="5/16/2018 12:25 PM, 2792 bytes, A Adds the file german_iss.ini"="5/16/2018 12:25 PM, 2658 bytes, A Adds the file gmtrs.dll"="2/4/2019 12:29 PM, 1976408 bytes, A Adds the file HtmlRenderer.dll"="2/4/2019 12:29 PM, 236632 bytes, A Adds the file HtmlRenderer.WinForms.dll"="2/4/2019 12:29 PM, 75352 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="2/4/2019 12:29 PM, 64088 bytes, A Adds the file Interop.SHDocVw.dll"="2/4/2019 12:29 PM, 178776 bytes, A Adds the file italian_iss.ini"="5/16/2018 12:25 PM, 2532 bytes, A Adds the file japanese_iss.ini"="5/16/2018 12:25 PM, 1844 bytes, A Adds the file langs.db"="11/10/2018 4:17 PM, 477184 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="2/4/2019 12:29 PM, 185944 bytes, A Adds the file NAudio.dll"="2/4/2019 12:29 PM, 485976 bytes, A Adds the file Newtonsoft.Json.dll"="2/4/2019 12:29 PM, 475736 bytes, A Adds the file norwegian_iss.ini"="5/16/2018 12:25 PM, 2358 bytes, A Adds the file PaddleCheckoutSDK.dll"="2/4/2019 12:29 PM, 73816 bytes, A Adds the file portuguese_iss.ini"="5/16/2018 12:25 PM, 2424 bytes, A Adds the file rtc.exe"="2/4/2019 12:29 PM, 2439256 bytes, A Adds the file rtc.exe.config"="2/4/2019 12:28 PM, 6387 bytes, A Adds the file russian_iss.ini"="5/16/2018 12:25 PM, 2494 bytes, A Adds the file spanish_iss.ini"="5/16/2018 12:25 PM, 2548 bytes, A Adds the file swedish_iss.ini"="5/16/2018 12:25 PM, 2270 bytes, A Adds the file System.Data.SQLite.DLL"="2/4/2019 12:29 PM, 305752 bytes, A Adds the file TAFactory.IconPack.dll"="2/4/2019 12:29 PM, 51800 bytes, A Adds the file unins000.dat"="2/11/2019 9:01 AM, 85281 bytes, A Adds the file unins000.exe"="2/11/2019 9:01 AM, 1243736 bytes, A Adds the file unins000.msg"="2/11/2019 9:01 AM, 22701 bytes, A Adds the folder C:\Program Files\System-Clean Pro for {computername}\x64 Adds the file SQLite.Interop.dll"="2/4/2019 12:29 PM, 1190488 bytes, A Adds the folder C:\Program Files\System-Clean Pro for {computername}\x86 Adds the file SQLite.Interop.dll"="2/4/2019 12:29 PM, 869464 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System-Clean Pro for {computername} Adds the file Buy System-Clean Pro.lnk"="2/11/2019 9:01 AM, 986 bytes, A Adds the file System-Clean Pro.lnk"="2/11/2019 9:01 AM, 974 bytes, A Adds the file Uninstall System-Clean Pro.lnk"="2/11/2019 9:01 AM, 1005 bytes, A Adds the folder C:\ProgramData\System-Clean Pro for {computername} Adds the file mdb.db"="10/26/2018 11:37 AM, 6643712 bytes, A Adds the file pcspstartrepair_en.mp3"="5/16/2018 12:25 PM, 130973 bytes, A Adds the folder C:\ProgramData\System-Clean Pro for {computername}\offers Adds the file a_p_t.exe"="2/11/2019 9:06 AM, 832040 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\System-Clean Pro For {computername} Adds the file a_p_t_2.xml"="2/11/2019 9:06 AM, 1206 bytes, A Adds the file Errorlog.txt"="2/11/2019 9:06 AM, 32904 bytes, A Adds the file exlist.bin"="2/11/2019 9:02 AM, 258015 bytes, A Adds the file notifier.xml"="2/11/2019 9:03 AM, 17312 bytes, A Adds the file param.ini"="2/11/2019 9:01 AM, 1006 bytes, A Adds the file res.xml"="2/11/2019 9:05 AM, 23196 bytes, A Adds the file update.xml"="2/11/2019 9:03 AM, 45832 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\System-Clean Pro For {computername}\smico In the existing folder C:\Users\Public\Desktop Adds the file System-Clean Pro.lnk"="2/11/2019 9:01 AM, 956 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file System-Clean Pro_Logon"="2/11/2019 9:02 AM, 3074 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90017557-79E0-47D6-AAB6-880EF5BC06F9}_is1] "DisplayIcon"="REG_SZ", "C:\Program Files\System-Clean Pro for {computername}\rtc.exe" "DisplayName"="REG_SZ", "System-Clean Pro" "DisplayVersion"="REG_SZ", "1.0.0.1" "EstimatedSize"="REG_DWORD", 18726 "Inno Setup: App Path"="REG_SZ", "C:\Program Files\System-Clean Pro for {computername}" "Inno Setup: Icon Group"="REG_SZ", "System-Clean Pro for {computername}" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.8 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20190211" "InstallLocation"="REG_SZ", "C:\Program Files\System-Clean Pro for {computername}\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "QuietUninstallString"="REG_SZ", ""C:\Program Files\System-Clean Pro for {computername}\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files\System-Clean Pro for {computername}\unins000.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\scd-pr] "affiliateid"="REG_SZ", "" "btnid"="REG_SZ", "" "country"="REG_SZ", "us" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "pxl"="REG_SZ", "WSK3622_WSK3550_RUNT" "referUrl"="REG_SZ", "https%253a%252f%252ffreewindowsupdate.next-site-loading.com%252fcampaigns%252fd%252flanders%252fadvanced%252freimage%252findex.php%253flpkey%253d15df48e428c2795382%2526os_version%253d10%2526os_name%253dWindows%2526device_name%253dDesktop%2526language%253den-US%2526uclick%253du31mxoiki4" "TELNO"="REG_SZ", "" "utm_campaign"="REG_SZ", "wskmbi" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "81443" "utm_source"="REG_SZ", "wskmbi" "x-at"="REG_SZ", "XXXXX" "x-context"="REG_SZ", "4050853299" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\System-Clean Pro For {computername}] "affired"="REG_DWORD", 1 "afterInstallUrl"="REG_SZ", "http://ins.trkinstl.com/install/scpo/?" "apst"="REG_DWORD", 0 "btnid"="REG_SZ", "" "buybowinapp"="REG_SZ", "http://store.bitssystools.club/scpo/plan?" "cbkpoff"="REG_DWORD", 1 "country"="REG_SZ", "us" "cta"="REG_DWORD", 0 "delaytime"="REG_DWORD", 0 "dlllist"="REG_SZ", "PSMACHINE_64.DLL,MSSPELLCHECKINGFACILITY.DLL" "EmailURL"="REG_SZ", "" "expired"="REG_DWORD", 0 "hdata"="REG_BINARY, .............................................................. "Installstring"="REG_SZ", "C:\Program Files\System-Clean Pro for {computername}" "ipaddrurl"="REG_SZ", "http://www.trkinstl.com/getip/" "isavst"="REG_DWORD", 0 "ishow_apt"="REG_DWORD", 1 "isiunidu"="REG_DWORD", 0 "isprmjsn"="REG_DWORD", 0 "isshowng"="REG_DWORD", 1 "issilent"="REG_DWORD", 0 "ISTELNO"="REG_DWORD", 1 "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "lstregscancount"="REG_DWORD", 58 "lstscandate"="REG_SZ", "2/11/2019 9:05:15 AM" "lstscanstat"="REG_DWORD", 2 "lstsecscancount"="REG_DWORD", 0 "lsttotalscancount"="REG_DWORD", 58 "ovoffdis"="REG_DWORD", 0 "paramurl"="REG_SZ", "http://trkr.trkinstl.com/ipfiles/" "pdtm"="REG_DWORD", 45 "playsound"="REG_DWORD", 1 "plurl"="REG_SZ", "http://pp.trkinstl.com/ProductPrice.svc/" "prereg"="REG_DWORD", 0 "PurchaseURL"="REG_SZ", "http://store.bitssystools.club/scpo/price?" "pxl"="REG_SZ", "WSK3622_WSK3550_RUNT" "referurl"="REG_SZ", "https%253a%252f%252ffreewindowsupdate.next-site-loading.com%252fcampaigns%252fd%252flanders%252fadvanced%252freimage%252findex.php%253flpkey%253d15df48e428c2795382%2526os_version%253d10%2526os_name%253dWindows%2526device_name%253dDesktop%2526language%253den-US%2526uclick%253du31mxoiki4" "reg"="REG_DWORD", 0 "RenewURL"="REG_SZ", "http://store.bitssystools.club/scpo/renewal?" "runcam"="REG_DWORD", 1 "runpixel"="REG_DWORD", 1 "runsrc"="REG_DWORD", 1 "showtn"="REG_DWORD", 0 "showunins"="REG_DWORD", 0 "showwfo"="REG_DWORD", 0 "stdismax"="REG_DWORD", -1 "supporturl"="REG_SZ", "http://www.bitssystools.club/help/" "TELNO"="REG_SZ", "877-884-1178" "TELNO_ar"="REG_SZ", "+54 11 5236 0324" "TELNO_at"="REG_SZ", "+43 (0)720 902 309" "TELNO_au"="REG_SZ", "(61)280-733403" "TELNO_be"="REG_SZ", "+32-28085306" "TELNO_br"="REG_SZ", "+55 21 2391 4319" "TELNO_ch"="REG_SZ", "+41 (0)44 508 70 37" "TELNO_de"="REG_SZ", "0800 1822 974" "TELNO_dk"="REG_SZ", "+45 78 73 09 26" "TELNO_es"="REG_SZ", "+34 951 203 537" "TELNO_fi"="REG_SZ", "+358 (0)9 4270 4911" "TELNO_fr"="REG_SZ", "05 82 84 04 06" "TELNO_gb"="REG_SZ", "0800-031-5066" "TELNO_it"="REG_SZ", "+39 069 4802886" "TELNO_ja"="REG_SZ", "" "TELNO_lu"="REG_SZ", "0800 1822 974" "TELNO_nl"="REG_SZ", "+31-08-58882839" "TELNO_no"="REG_SZ", "+47 21 95 01 97" "TELNO_pt"="REG_SZ", "+351 70 750 2094" "TELNO_se"="REG_SZ", "+46-08124-10298" "TELNO_uk"="REG_SZ", "0800-031-5066" "TELNO_us"="REG_SZ", "877-884-1178" "utm_campaign"="REG_SZ", "wskmbi" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "81443" "utm_source"="REG_SZ", "wskmbi" "WebURL"="REG_SZ", "http://www.bitssystools.club/" "wfoset"="REG_DWORD", 1 "x-at"="REG_SZ", "XXXXX" "x-ccode"="REG_SZ", "us" "x-context"="REG_SZ", "4050853299" "x-datetime"="REG_SZ", "02-11-2019 08:01:56 AM" "x-fetch"="REG_SZ", "1" "x-ip"="REG_SZ", "77_234_46_211" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\U3lzdGVtLUNsZWFuIFBybw==\ACT] "data"="REG_BINARY, ........................................... [HKEY_CURRENT_USER\Software\AppCleaner.com] [HKEY_CURRENT_USER\Software\System-Clean Pro For {computername}] "affiliateid"="REG_SZ", "" "btnid"="REG_SZ", "" "InstallString"="REG_SZ", "C:\Program Files\System-Clean Pro for {computername}" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "pxl"="REG_SZ", "WSK3622_WSK3550_RUNT" "referurl"="REG_SZ", "https%253a%252f%252ffreewindowsupdate.next-site-loading.com%252fcampaigns%252fd%252flanders%252fadvanced%252freimage%252findex.php%253flpkey%253d15df48e428c2795382%2526os_version%253d10%2526os_name%253dWindows%2526device_name%253dDesktop%2526language%253den-US%2526uclick%253du31mxoiki4" "TELNO"="REG_SZ", "877-884-1178" "TELNO_us"="REG_SZ", "877-884-1178" "utm_campaign"="REG_SZ", "wskmbi" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "81443" "utm_source"="REG_SZ", "wskmbi" "x-at"="REG_SZ", "XXXXX" "x-context"="REG_SZ", "4050853299" "x-datetime"="REG_SZ", "02-11-2019 08:01:56 AM" "x-fetch"="REG_SZ", "1" "x-ip"="REG_SZ", "77_234_46_211" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_CURRENT_USER\Software\System-Clean Pro For {computername}\1.0.0.1] "Installstring"="REG_SZ", "C:\Program Files\System-Clean Pro for {computername}" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/11/19 Scan Time: 9:13 AM Log File: dce45506-2dd4-11e9-a97b-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.9204 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235984 Threats Detected: 80 Threats Quarantined: 80 Time Elapsed: 4 min, 24 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\rtc.exe, Quarantined, [442], [635146],1.0.9204 Module: 7 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\x64\SQLite.Interop.dll, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\PaddleCheckoutSDK.dll, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\rtc.exe, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\System.Data.SQLite.DLL, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\TAFactory.IconPack.dll, Quarantined, [442], [635146],1.0.9204 Registry Key: 7 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\System-Clean Pro_Logon, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{7B430A13-C971-4F9A-81D1-4AAA9CFECF21}, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{7B430A13-C971-4F9A-81D1-4AAA9CFECF21}, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{90017557-79E0-47D6-AAB6-880EF5BC06F9}_is1, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, HKLM\SOFTWARE\SCD-PR, Quarantined, [442], [540842],1.0.9204 PUP.Optional.PCVARK, HKLM\SOFTWARE\System-Clean Pro For {computername}, Quarantined, [442], [635144],1.0.9204 PUP.Optional.PCVARK, HKCU\SOFTWARE\System-Clean Pro For {computername}, Quarantined, [442], [635145],1.0.9204 Registry Value: 6 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{7B430A13-C971-4F9A-81D1-4AAA9CFECF21}|PATH, Quarantined, [442], [635141],1.0.9204 PUP.Optional.PCVARK, HKLM\SOFTWARE\SCD-PR|AFFILIATEID, Quarantined, [442], [540842],1.0.9204 PUP.Optional.MasterPCCleaner, HKLM\SOFTWARE\SCD-PR|PXL, Quarantined, [1189], [484510],1.0.9204 PUP.Optional.PCVARK, HKLM\SOFTWARE\System-Clean Pro For {computername}|AFFIRED, Quarantined, [442], [635144],1.0.9204 PUP.Optional.PCVARK, HKCU\SOFTWARE\System-Clean Pro For {computername}|AFFILIATEID, Quarantined, [442], [635145],1.0.9204 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{90017557-79E0-47D6-AAB6-880EF5BC06F9}_is1|DISPLAYNAME, Quarantined, [442], [635151],1.0.9204 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 8 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\System-Clean Pro for {computername}, Quarantined, [442], [635147],1.0.9204 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\System-Clean Pro For {computername}\smico, Quarantined, [442], [635149],1.0.9204 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\System-Clean Pro For {computername}, Quarantined, [442], [635149],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\x64, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\x86, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\PROGRAM FILES\System-Clean Pro for {computername}, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\ProgramData\System-Clean Pro for {computername}\offers, Quarantined, [442], [635148],1.0.9204 PUP.Optional.PCVARK, C:\PROGRAMDATA\System-Clean Pro for {computername}, Quarantined, [442], [635148],1.0.9204 File: 51 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\System-Clean Pro for {computername}\Buy System-Clean Pro.lnk, Quarantined, [442], [635147],1.0.9204 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System-Clean Pro for {computername}\System-Clean Pro.lnk, Quarantined, [442], [635147],1.0.9204 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System-Clean Pro for {computername}\Uninstall System-Clean Pro.lnk, Quarantined, [442], [635147],1.0.9204 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\System-Clean Pro For {computername}\Errorlog.txt, Quarantined, [442], [635149],1.0.9204 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\System-Clean Pro For {computername}\a_p_t_2.xml, Quarantined, [442], [635149],1.0.9204 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\System-Clean Pro For {computername}\exlist.bin, Quarantined, [442], [635149],1.0.9204 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\System-Clean Pro For {computername}\notifier.xml, Quarantined, [442], [635149],1.0.9204 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\System-Clean Pro For {computername}\param.ini, Quarantined, [442], [635149],1.0.9204 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\System-Clean Pro For {computername}\res.xml, Quarantined, [442], [635149],1.0.9204 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\System-Clean Pro For {computername}\update.xml, Quarantined, [442], [635149],1.0.9204 PUP.Optional.PCVARK, C:\PROGRAM FILES\System-Clean Pro for {computername}\unins000.dat, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\x64\SQLite.Interop.dll, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\x86\SQLite.Interop.dll, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\application.ico, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\danish_iss.ini, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\Dutch_iss.ini, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\english_iss.ini, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\finish_iss.ini, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\French_iss.ini, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\german_iss.ini, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\gmtrs.dll, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\HtmlRenderer.dll, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\HtmlRenderer.WinForms.dll, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\Interop.SHDocVw.dll, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\italian_iss.ini, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\japanese_iss.ini, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\langs.db, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\NAudio.dll, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\Newtonsoft.Json.dll, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\norwegian_iss.ini, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\PaddleCheckoutSDK.dll, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\portuguese_iss.ini, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\rtc.exe, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\rtc.exe.config, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\russian_iss.ini, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\spanish_iss.ini, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\swedish_iss.ini, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\System.Data.SQLite.DLL, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\TAFactory.IconPack.dll, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\unins000.exe, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\Program Files\System-Clean Pro for {computername}\unins000.msg, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\WINDOWS\SYSTEM32\TASKS\System-Clean Pro_Logon, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\System-Clean Pro.lnk, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\USERS\PUBLIC\DESKTOP\System-Clean Pro.lnk, Quarantined, [442], [635146],1.0.9204 PUP.Optional.PCVARK, C:\PROGRAMDATA\System-Clean Pro for {computername}\mdb.db, Quarantined, [442], [635148],1.0.9204 PUP.Optional.PCVARK, C:\ProgramData\System-Clean Pro for {computername}\offers\a_p_t.exe, Quarantined, [442], [635148],1.0.9204 PUP.Optional.PCVARK, C:\ProgramData\System-Clean Pro for {computername}\pcspstartrepair_en.mp3, Quarantined, [442], [635148],1.0.9204 PUP.Optional.PCVARK, C:\PROGRAMDATA\SYSTEM-CLEAN PRO FOR {computername}\OFFERS\A_P_T.EXE, Quarantined, [442], [583068],1.0.9204 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\LOCAL\TEMP\_IU14D2N.TMP, Quarantined, [442], [583068],1.0.9204 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  6. What is SecuryBrowse Shield?The Malwarebytes research team has determined that SecuryBrowse Shield is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by SecuryBrowse Shield?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and this changed setting:How did SecuryBrowse Shield get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove SecuryBrowse Shield?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of SecuryBrowse Shield? No, Malwarebytes removes SecuryBrowse Shield completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the SecuryBrowse Shield hijacker. It would have blocked their notifications service, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxp://search.securybrowse.com/?dss&yh&q={searchTerms} CHR DefaultSearchKeyword: Default -> securyBrowse CHR Extension: (securyBrowse) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc [2019-02-08] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0 Adds the file extenv.js"="5/6/2018 5:56 PM, 1444 bytes, A Adds the file init.js"="3/11/2018 2:35 PM, 4097 bytes, A Adds the file manifest.json"="2/8/2019 8:57 AM, 2132 bytes, A Adds the file popup.html"="3/11/2018 2:35 PM, 2767 bytes, A Adds the file popup.js"="3/11/2018 2:35 PM, 2092 bytes, A Adds the file safeUtils.js"="3/11/2018 2:35 PM, 426 bytes, A Adds the file settings.js"="3/11/2018 2:35 PM, 425 bytes, A Adds the file wa.png"="3/11/2018 2:35 PM, 68 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\_metadata Adds the file computed_hashes.json"="2/8/2019 8:57 AM, 3117 bytes, A Adds the file verified_contents.json"="5/28/2018 5:49 PM, 2988 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\external Adds the file jquery.js"="3/11/2018 2:35 PM, 86713 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\icons Adds the file icon128.png"="2/8/2019 8:57 AM, 7265 bytes, A Adds the file icon128_warn.png"="2/22/2018 3:55 PM, 7186 bytes, A Adds the file icon16.png"="2/8/2019 8:57 AM, 7841 bytes, A Adds the file icon16_warn.png"="3/11/2018 2:35 PM, 7224 bytes, A Adds the file logo_med.png"="3/11/2018 2:35 PM, 9363 bytes, A Adds the file scanbg.png"="3/11/2018 2:35 PM, 32861 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\js Adds the file background.js"="3/11/2018 2:35 PM, 10961 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kjincgipkjkimkcmolmajgcfpdjbckgc Adds the file 000003.log"="2/8/2019 8:57 AM, 0 bytes, A Adds the file CURRENT"="2/8/2019 8:57 AM, 16 bytes, A Adds the file LOCK"="2/8/2019 8:57 AM, 0 bytes, A Adds the file LOG"="2/8/2019 8:57 AM, 184 bytes, A Adds the file MANIFEST-000001"="2/8/2019 8:57 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "kjincgipkjkimkcmolmajgcfpdjbckgc"="REG_SZ", "39F82F23BDFE7C4A8DBF71E3160AE0B93054FF9D7AF89A127318255D5601B8A7" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/8/19 Scan Time: 9:15 AM Log File: b3e6008a-2b79-11e9-8274-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.9170 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236020 Threats Detected: 34 Threats Quarantined: 34 Time Elapsed: 4 min, 29 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SecuryBrowse, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|kjincgipkjkimkcmolmajgcfpdjbckgc, Quarantined, [260], [596810],1.0.9170 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\_metadata, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\external, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\icons, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\js, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\kjincgipkjkimkcmolmajgcfpdjbckgc, Quarantined, [260], [596810],1.0.9170 File: 26 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\external\jquery.js, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\icons\icon128.png, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\icons\icon128_warn.png, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\icons\icon16.png, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\icons\icon16_warn.png, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\icons\logo_med.png, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\icons\scanbg.png, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\js\background.js, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\_metadata\computed_hashes.json, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\_metadata\verified_contents.json, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\extenv.js, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\init.js, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\manifest.json, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\popup.html, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\popup.js, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\safeUtils.js, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\settings.js, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjincgipkjkimkcmolmajgcfpdjbckgc\1.3.6.117_0\wa.png, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kjincgipkjkimkcmolmajgcfpdjbckgc\000003.log, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kjincgipkjkimkcmolmajgcfpdjbckgc\CURRENT, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kjincgipkjkimkcmolmajgcfpdjbckgc\LOCK, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kjincgipkjkimkcmolmajgcfpdjbckgc\LOG, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kjincgipkjkimkcmolmajgcfpdjbckgc\MANIFEST-000001, Quarantined, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [260], [596810],1.0.9170 PUP.Optional.SecuryBrowse, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [260], [596810],1.0.9170 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  7. What is Boost My PC Pro?The Malwarebytes research team has determined that Boost My PC Pro is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with Boost My PC Pro?This is how the main screen of the system optimizer looks: You will find these icons in your taskbar, your startmenu, and on your desktop:and see these warnings during install: and this type of tooltips during "operations": You may see this entry in your list of installed programs: and this task in your list of Scheduled Tasks: How did Boost My PC Pro get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website: How do I remove Boost My PC Pro?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Boost My PC Pro? No, Malwarebytes removes Boost My PC Pro completely. This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the Boost My PC Pro installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: () C:\Program Files\Boost My-PC Pro for {computername}\rtc.exe C:\Windows\System32\Tasks\Boost My-PC Pro_Logon C:\Users\{username}\AppData\Roaming\Boost My-PC Pro For {computername} C:\ProgramData\Boost My-PC Pro for {computername} C:\Users\Public\Desktop\Boost My-PC Pro.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Boost My-PC Pro for {computername} C:\Program Files\Boost My-PC Pro for {computername} ( ) C:\Users\{username}\Desktop\bmppsetup.exe Boost My-PC Pro (HKLM\...\{D975B09E-4D2E-42AE-AC5A-51326AFD76AD}_is1) (Version: 1.0.0.0 - ) Task: {82B712BC-4674-4991-9980-F1CC1C7726D7} - System32\Tasks\Boost My-PC Pro_Logon => C:\Program Files\Boost My-PC Pro for {computername}\rtc.exe [2019-02-05] () Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\Boost My-PC Pro for {computername} Adds the file application.ico"="1/21/2019 3:58 PM, 56150 bytes, A Adds the file danish_iss.ini"="5/16/2018 12:25 PM, 2402 bytes, A Adds the file Dutch_iss.ini"="5/16/2018 12:25 PM, 2600 bytes, A Adds the file english_iss.ini"="5/16/2018 12:25 PM, 2256 bytes, A Adds the file finish_iss.ini"="5/16/2018 12:25 PM, 2368 bytes, A Adds the file French_iss.ini"="5/16/2018 12:25 PM, 2792 bytes, A Adds the file german_iss.ini"="5/16/2018 12:25 PM, 2658 bytes, A Adds the file gmtrs.dll"="2/5/2019 3:04 PM, 1973408 bytes, A Adds the file HtmlRenderer.dll"="2/5/2019 3:04 PM, 236704 bytes, A Adds the file HtmlRenderer.WinForms.dll"="2/5/2019 3:04 PM, 75424 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="2/5/2019 3:04 PM, 64160 bytes, A Adds the file Interop.SHDocVw.dll"="2/5/2019 3:04 PM, 178848 bytes, A Adds the file italian_iss.ini"="5/16/2018 12:25 PM, 2532 bytes, A Adds the file japanese_iss.ini"="5/16/2018 12:25 PM, 1844 bytes, A Adds the file langs.db"="11/10/2018 4:17 PM, 477184 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="2/5/2019 3:04 PM, 186016 bytes, A Adds the file NAudio.dll"="2/5/2019 3:04 PM, 486048 bytes, A Adds the file Newtonsoft.Json.dll"="2/5/2019 3:04 PM, 475808 bytes, A Adds the file norwegian_iss.ini"="5/16/2018 12:25 PM, 2358 bytes, A Adds the file PaddleCheckoutSDK.dll"="2/5/2019 3:04 PM, 73888 bytes, A Adds the file portuguese_iss.ini"="5/16/2018 12:25 PM, 2424 bytes, A Adds the file rtc.exe"="2/5/2019 3:04 PM, 2439328 bytes, A Adds the file rtc.exe.config"="2/5/2019 3:03 PM, 6440 bytes, A Adds the file russian_iss.ini"="5/16/2018 12:25 PM, 2494 bytes, A Adds the file spanish_iss.ini"="5/16/2018 12:25 PM, 2548 bytes, A Adds the file swedish_iss.ini"="5/16/2018 12:25 PM, 2270 bytes, A Adds the file System.Data.SQLite.DLL"="2/5/2019 3:04 PM, 305824 bytes, A Adds the file TAFactory.IconPack.dll"="2/5/2019 3:04 PM, 51872 bytes, A Adds the file unins000.dat"="2/7/2019 9:02 AM, 85143 bytes, A Adds the file unins000.exe"="2/7/2019 9:01 AM, 1243808 bytes, A Adds the file unins000.msg"="2/7/2019 9:02 AM, 22701 bytes, A Adds the folder C:\Program Files\Boost My-PC Pro for {computername}\x64 Adds the file SQLite.Interop.dll"="2/5/2019 3:04 PM, 1190560 bytes, A Adds the folder C:\Program Files\Boost My-PC Pro for {computername}\x86 Adds the file SQLite.Interop.dll"="2/5/2019 3:04 PM, 869536 bytes, A Adds the folder C:\ProgramData\Boost My-PC Pro for {computername} Adds the file mdb.db"="10/26/2018 11:37 AM, 6643712 bytes, A Adds the file pcspstartrepair_en.mp3"="5/16/2018 12:25 PM, 130973 bytes, A Adds the folder C:\ProgramData\Boost My-PC Pro for {computername}\offers Adds the file a_p_t.exe"="2/7/2019 9:07 AM, 832040 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Boost My-PC Pro for {computername} Adds the file Boost My-PC Pro.lnk"="2/7/2019 9:02 AM, 967 bytes, A Adds the file Buy Boost My-PC Pro.lnk"="2/7/2019 9:02 AM, 979 bytes, A Adds the file Uninstall Boost My-PC Pro.lnk"="2/7/2019 9:02 AM, 998 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Boost My-PC Pro For {computername} Adds the file a_p_t_2.xml"="2/7/2019 9:07 AM, 1206 bytes, A Adds the file Errorlog.txt"="2/7/2019 9:07 AM, 33648 bytes, A Adds the file exlist.bin"="2/7/2019 9:03 AM, 258013 bytes, A Adds the file notifier.xml"="2/7/2019 9:04 AM, 16128 bytes, A Adds the file res.xml"="2/7/2019 9:06 AM, 21217 bytes, A Adds the file update.xml"="2/7/2019 9:04 AM, 43090 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Boost My-PC Pro For {computername}\smico In the existing folder C:\Users\Public\Desktop Adds the file Boost My-PC Pro.lnk"="2/7/2019 9:02 AM, 949 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Boost My-PC Pro_Logon"="2/7/2019 9:03 AM, 3072 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Boost My-PC Pro For {computername}] "affired"="REG_DWORD", 1 "afterInstallUrl"="REG_SZ", "http://ins1.alfactiv.com/install/bmpp/?" "apst"="REG_DWORD", 0 "buybowinapp"="REG_SZ", "http://store.bitscleanuputils.xyz/bmpp/plan?" "cbkpoff"="REG_DWORD", 1 "country"="REG_SZ", "us" "cta"="REG_DWORD", 0 "delaytime"="REG_DWORD", 0 "dlllist"="REG_SZ", "PSMACHINE_64.DLL,MSSPELLCHECKINGFACILITY.DLL" "EmailURL"="REG_SZ", "" "expired"="REG_DWORD", 0 "hdata"="REG_BINARY, ......................................................................................................................................................................................................................................................................................................................................... "Installstring"="REG_SZ", "C:\Program Files\Boost My-PC Pro for {computername}" "ipaddrurl"="REG_SZ", "http://www.alfactiv.com/getip/" "isavst"="REG_DWORD", 0 "ishow_apt"="REG_DWORD", 1 "isiunidu"="REG_DWORD", 0 "isprmjsn"="REG_DWORD", 0 "isshowng"="REG_DWORD", 1 "issilent"="REG_DWORD", 0 "ISTELNO"="REG_DWORD", 1 "LangCode"="REG_SZ", "en" "lstregscancount"="REG_DWORD", 53 "lstscandate"="REG_SZ", "2/7/2019 9:06:00 AM" "lstscanstat"="REG_DWORD", 2 "lstsecscancount"="REG_DWORD", 0 "lsttotalscancount"="REG_DWORD", 53 "ovoffdis"="REG_DWORD", 0 "paramurl"="REG_SZ", "http://trkr.alfactiv.com/ipfiles/" "pdtm"="REG_DWORD", 30 "playsound"="REG_DWORD", 1 "plurl"="REG_SZ", "http://pp.alfactiv.com/ProductPrice.svc/" "prereg"="REG_DWORD", 0 "PurchaseURL"="REG_SZ", "http://store.bitscleanuputils.xyz/bmpp/price?" "reg"="REG_DWORD", 0 "RenewURL"="REG_SZ", "http://store.bitscleanuputils.xyz/bmpp/renewal?" "runcam"="REG_DWORD", 1 "runpixel"="REG_DWORD", 1 "runsrc"="REG_DWORD", 1 "showtn"="REG_DWORD", 0 "showunins"="REG_DWORD", 0 "showwfo"="REG_DWORD", 0 "stdismax"="REG_DWORD", -1 "supporturl"="REG_SZ", "http://www.bitscleanuputils.xyz/help/" "TELNO"="REG_SZ", "877-884-1178" "TELNO_ar"="REG_SZ", "+54 11 5236 0324" "TELNO_at"="REG_SZ", "+43 (0)720 902 309" "TELNO_au"="REG_SZ", "(61)280-733403" "TELNO_be"="REG_SZ", "+32-28085306" "TELNO_br"="REG_SZ", "+55 21 2391 4319" "TELNO_ch"="REG_SZ", "+41 (0)44 508 70 37" "TELNO_de"="REG_SZ", "0800 1822 974" "TELNO_dk"="REG_SZ", "+45 78 73 09 26" "TELNO_es"="REG_SZ", "+34 951 203 537" "TELNO_fi"="REG_SZ", "+358 (0)9 4270 4911" "TELNO_fr"="REG_SZ", "05 82 84 04 06" "TELNO_gb"="REG_SZ", "0800-031-5066" "TELNO_it"="REG_SZ", "+39 069 4802886" "TELNO_ja"="REG_SZ", "" "TELNO_lu"="REG_SZ", "0800 1822 974" "TELNO_nl"="REG_SZ", "+31-08-58882839" "TELNO_no"="REG_SZ", "+47 21 95 01 97" "TELNO_pt"="REG_SZ", "+351 70 750 2094" "TELNO_se"="REG_SZ", "+46-08124-10298" "TELNO_uk"="REG_SZ", "0800-031-5066" "TELNO_us"="REG_SZ", "877-884-1178" "WebURL"="REG_SZ", "http://www.bitscleanuputils.xyz/" "wfoset"="REG_DWORD", 1 "x-ccode"="REG_SZ", "us" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "77_234_46_211" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D975B09E-4D2E-42AE-AC5A-51326AFD76AD}_is1] "DisplayIcon"="REG_SZ", "C:\Program Files\Boost My-PC Pro for {computername}\rtc.exe" "DisplayName"="REG_SZ", "Boost My-PC Pro" "DisplayVersion"="REG_SZ", "1.0.0.0" "EstimatedSize"="REG_DWORD", 18721 "Inno Setup: App Path"="REG_SZ", "C:\Program Files\Boost My-PC Pro for {computername}" "Inno Setup: Icon Group"="REG_SZ", "Boost My-PC Pro for {computername}" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.8 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20190207" "InstallLocation"="REG_SZ", "C:\Program Files\Boost My-PC Pro for {computername}\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "QuietUninstallString"="REG_SZ", ""C:\Program Files\Boost My-PC Pro for {computername}\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files\Boost My-PC Pro for {computername}\unins000.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\Qm9vc3QgTXktUEMgUHJv\ACT] "data"="REG_BINARY, ........................................................................................... [HKEY_LOCAL_MACHINE\SOFTWARE\scd-pr] "affiliateid"="REG_SZ", "" "btnid"="REG_SZ", "" "country"="REG_SZ", "us" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "pxl"="REG_SZ", "" "referUrl"="REG_SZ", "" "TELNO"="REG_SZ", "" "utm_campaign"="REG_SZ", "" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "" "utm_source"="REG_SZ", "" "x-at"="REG_SZ", "" "x-context"="REG_SZ", "" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_CURRENT_USER\Software\AppCleaner.com] [HKEY_CURRENT_USER\Software\Boost My-PC Pro For {computername}] "affiliateid"="REG_SZ", "" "InstallString"="REG_SZ", "C:\Program Files\Boost My-PC Pro for {computername}" "LangCode"="REG_SZ", "en" "TELNO"="REG_SZ", "877-884-1178" "TELNO_us"="REG_SZ", "877-884-1178" "utm_medium"="REG_SZ", "" "x-datetime"="REG_SZ", "" "x-fetch"="REG_SZ", "0" "x-ip"="REG_SZ", "77_234_46_211" [HKEY_CURRENT_USER\Software\Boost My-PC Pro For {computername}\1.0.0.0] "Installstring"="REG_SZ", "C:\Program Files\Boost My-PC Pro for {computername}" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/7/19 Scan Time: 9:15 AM Log File: 94433fb5-2ab0-11e9-a3ea-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.9150 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236097 Threats Detected: 76 Threats Quarantined: 76 Time Elapsed: 3 min, 34 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\rtc.exe, Quarantined, [863], [512031],1.0.9150 Module: 7 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\x64\SQLite.Interop.dll, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\PaddleCheckoutSDK.dll, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\rtc.exe, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\System.Data.SQLite.DLL, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\TAFactory.IconPack.dll, Quarantined, [863], [512031],1.0.9150 Registry Key: 8 PUP.Optional.BoostPCPro, HKCU\SOFTWARE\Boost My-PC Pro For {computername}, Quarantined, [863], [512035],1.0.9150 PUP.Optional.PCVARK, HKLM\SOFTWARE\SCD-PR, Quarantined, [442], [540842],1.0.9150 PUP.Optional.BoostPCPro, HKLM\SOFTWARE\Boost My-PC Pro For {computername}, Quarantined, [863], [512034],1.0.9150 PUP.Optional.PCVARK, HKLM\SOFTWARE\Qm9vc3QgTXktUEMgUHJv, Quarantined, [442], [635162],1.0.9150 PUP.Optional.BoostPCPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Boost My-PC Pro_Logon, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{82B712BC-4674-4991-9980-F1CC1C7726D7}, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{82B712BC-4674-4991-9980-F1CC1C7726D7}, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{D975B09E-4D2E-42AE-AC5A-51326AFD76AD}_is1, Quarantined, [863], [512031],1.0.9150 Registry Value: 2 PUP.Optional.PCVARK, HKLM\SOFTWARE\SCD-PR|AFFILIATEID, Quarantined, [442], [540842],1.0.9150 PUP.Optional.MasterPCCleaner, HKLM\SOFTWARE\SCD-PR|PXL, Quarantined, [1187], [484510],1.0.9150 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 8 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\x64, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\x86, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\PROGRAM FILES\Boost My-PC Pro for {computername}, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\ProgramData\Boost My-PC Pro for {computername}\offers, Quarantined, [863], [512032],1.0.9150 PUP.Optional.BoostPCPro, C:\PROGRAMDATA\Boost My-PC Pro for {computername}, Quarantined, [863], [512032],1.0.9150 PUP.Optional.BoostPCPro, C:\Users\{username}\AppData\Roaming\Boost My-PC Pro For {computername}\smico, Quarantined, [863], [512032],1.0.9150 PUP.Optional.BoostPCPro, C:\USERS\{username}\APPDATA\ROAMING\Boost My-PC Pro For {computername}, Quarantined, [863], [512032],1.0.9150 PUP.Optional.BoostPCPro, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\Boost My-PC Pro for {computername}, Quarantined, [863], [512033],1.0.9150 File: 50 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\x64\SQLite.Interop.dll, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\x86\SQLite.Interop.dll, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\application.ico, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\danish_iss.ini, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\Dutch_iss.ini, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\english_iss.ini, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\finish_iss.ini, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\French_iss.ini, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\german_iss.ini, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\gmtrs.dll, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\HtmlRenderer.dll, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\HtmlRenderer.WinForms.dll, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\Interop.SHDocVw.dll, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\italian_iss.ini, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\japanese_iss.ini, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\langs.db, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\NAudio.dll, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\Newtonsoft.Json.dll, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\norwegian_iss.ini, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\PaddleCheckoutSDK.dll, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\portuguese_iss.ini, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\rtc.exe, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\rtc.exe.config, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\russian_iss.ini, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\spanish_iss.ini, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\swedish_iss.ini, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\System.Data.SQLite.DLL, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\TAFactory.IconPack.dll, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\unins000.dat, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\unins000.exe, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\Program Files\Boost My-PC Pro for {computername}\unins000.msg, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\WINDOWS\SYSTEM32\TASKS\Boost My-PC Pro_Logon, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\Boost My-PC Pro.lnk, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\USERS\PUBLIC\DESKTOP\Boost My-PC Pro.lnk, Quarantined, [863], [512031],1.0.9150 PUP.Optional.BoostPCPro, C:\ProgramData\Boost My-PC Pro for {computername}\offers\a_p_t.exe, Quarantined, [863], [512032],1.0.9150 PUP.Optional.BoostPCPro, C:\ProgramData\Boost My-PC Pro for {computername}\mdb.db, Quarantined, [863], [512032],1.0.9150 PUP.Optional.BoostPCPro, C:\ProgramData\Boost My-PC Pro for {computername}\pcspstartrepair_en.mp3, Quarantined, [863], [512032],1.0.9150 PUP.Optional.BoostPCPro, C:\Users\{username}\AppData\Roaming\Boost My-PC Pro For {computername}\a_p_t_2.xml, Quarantined, [863], [512032],1.0.9150 PUP.Optional.BoostPCPro, C:\Users\{username}\AppData\Roaming\Boost My-PC Pro For {computername}\Errorlog.txt, Quarantined, [863], [512032],1.0.9150 PUP.Optional.BoostPCPro, C:\Users\{username}\AppData\Roaming\Boost My-PC Pro For {computername}\exlist.bin, Quarantined, [863], [512032],1.0.9150 PUP.Optional.BoostPCPro, C:\Users\{username}\AppData\Roaming\Boost My-PC Pro For {computername}\notifier.xml, Quarantined, [863], [512032],1.0.9150 PUP.Optional.BoostPCPro, C:\Users\{username}\AppData\Roaming\Boost My-PC Pro For {computername}\res.xml, Quarantined, [863], [512032],1.0.9150 PUP.Optional.BoostPCPro, C:\Users\{username}\AppData\Roaming\Boost My-PC Pro For {computername}\update.xml, Quarantined, [863], [512032],1.0.9150 PUP.Optional.BoostPCPro, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Boost My-PC Pro for {computername}\Boost My-PC Pro.lnk, Quarantined, [863], [512033],1.0.9150 PUP.Optional.BoostPCPro, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Boost My-PC Pro for {computername}\Buy Boost My-PC Pro.lnk, Quarantined, [863], [512033],1.0.9150 PUP.Optional.BoostPCPro, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Boost My-PC Pro for {computername}\Uninstall Boost My-PC Pro.lnk, Quarantined, [863], [512033],1.0.9150 PUP.Optional.BoostPCPro, C:\USERS\{username}\DESKTOP\BMPPSETUP.EXE, Quarantined, [863], [512030],1.0.9150 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\LOCAL\TEMP\_IU14D2N.TMP, Quarantined, [442], [583068],1.0.9150 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  8. What is Funky Stream?The Malwarebytes research team has determined that Funky Stream is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one is a search hijacker and uses a web push notifications service that is blocked by Malwarebytes for fraud.How do I know if my computer is affected by Funky Stream?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and this changed setting:How did Funky Stream get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Funky Stream?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Funky Stream? No, Malwarebytes removes Funky Stream completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Funky Stream hijacker. It would have blocked their notifications service, giving you a chance to stop before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.funkystreams.com/?q={searchTerms}&publisher=fctry_funkystreams&barcodeid=531630000000000 CHR DefaultSearchKeyword: Default -> FunkyStreams CHR DefaultSuggestURL: Default -> hxxps://api.funkystreams.com/suggest/get?q={searchTerms} CHR Extension: (FunkyStreams) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf [2019-02-06] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0 Adds the file closer.js"="9/13/2017 11:07 AM, 15 bytes, A Adds the file manifest.json"="2/6/2019 9:11 AM, 2352 bytes, A Adds the file popup.html"="4/4/2018 12:44 PM, 1154 bytes, A Adds the file tab.html"="9/13/2017 11:07 AM, 165 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\_metadata Adds the file computed_hashes.json"="2/6/2019 9:11 AM, 2655 bytes, A Adds the file verified_contents.json"="1/15/2019 8:06 AM, 2947 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\images Adds the file how-1.png"="4/4/2018 12:44 PM, 2862 bytes, A Adds the file how-2.png"="4/4/2018 12:44 PM, 3247 bytes, A Adds the file logo-small.png"="3/27/2018 9:35 AM, 11485 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\images\icons Adds the file 128x128.png"="2/6/2019 9:11 AM, 3475 bytes, A Adds the file 16x16.png"="2/6/2019 9:11 AM, 332 bytes, A Adds the file 64x64.png"="2/6/2019 9:11 AM, 1735 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\scripts Adds the file background.js"="1/17/2019 2:23 PM, 31654 bytes, A Adds the file jquery-3.3.1.min.js"="4/4/2018 12:44 PM, 86927 bytes, A Adds the file popup.js"="4/4/2018 12:46 PM, 545 bytes, A Adds the file sitecontent.js"="4/4/2018 12:44 PM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\styles Adds the file popup.css"="4/4/2018 12:44 PM, 1270 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aoekoghmabmcdailcompkbfclkjlofmf Adds the file Funky Stream.ico"="2/6/2019 9:11 AM, 166101 bytes, A Adds the file Funky Stream.ico.md5"="2/6/2019 9:11 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "aoekoghmabmcdailcompkbfclkjlofmf"="REG_SZ", "6F298B3B802EDD6A1FED028ABBF31D50C0D0732B76F04FFB681F2C5D588A421C" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/6/19 Scan Time: 9:19 AM Log File: f6c08abc-29e7-11e9-98dd-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.9136 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236045 Threats Detected: 29 Threats Quarantined: 29 Time Elapsed: 3 min, 16 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.FunkyStreams, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|aoekoghmabmcdailcompkbfclkjlofmf, Quarantined, [247], [554848],1.0.9136 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\images\icons, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\_metadata, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\scripts, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\images, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\styles, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf, Quarantined, [247], [554848],1.0.9136 File: 21 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\images\icons\128x128.png, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\images\icons\16x16.png, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\images\icons\64x64.png, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\images\how-1.png, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\images\how-2.png, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\images\logo-small.png, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\scripts\background.js, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\scripts\jquery-3.3.1.min.js, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\scripts\popup.js, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\scripts\sitecontent.js, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\styles\popup.css, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\_metadata\computed_hashes.json, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\_metadata\verified_contents.json, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\closer.js, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\manifest.json, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\popup.html, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoekoghmabmcdailcompkbfclkjlofmf\3.1.0_0\tab.html, Quarantined, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [247], [554848],1.0.9136 PUP.Optional.FunkyStreams, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [247], [554848],1.0.9136 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  9. What is Kittens new tab?The Malwarebytes research team has determined that Kittens new tab is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Kittens new tab?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and this changed setting:How did Kittens new tab get on my computer?Browser hijackers use different methods for distributing themselves. These particular ones were downloaded from their respective webstores:after a redirect from their website:How do I remove Kittens new tab?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Kittens new tab? No, Malwarebytes removes Kittens new tab completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Kittens new tab hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: FF NewTabOverride: Mozilla\Firefox\Profiles\{profile}.default -> Enabled: {a36d5211-070b-4021-bca1-1b73b2ce4d73} FF Extension: (Kittens new tab) - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\{a36d5211-070b-4021-bca1-1b73b2ce4d73}.xpi [2019-02-05] CHR NewTab: Default -> Active:"chrome-extension://dlakdjndmfmnpcagngkijpmhpbfngdnl/newtab.html" CHR DefaultSearchURL: Default -> hxxps://searchpage.com/?ext=kittens&v=a1.6.2&keywords={searchTerms} CHR DefaultSearchKeyword: Default -> searchTerms CHR Extension: (Searchpage) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl [2019-02-05] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0 Adds the file 128.png"="2/5/2019 9:00 AM, 23719 bytes, A Adds the file font.woff2"="11/7/2018 11:36 AM, 49168 bytes, A Adds the file manifest.json"="2/5/2019 9:00 AM, 1804 bytes, A Adds the file newtab.html"="1/16/2019 2:19 PM, 5142 bytes, A Adds the file one.css"="1/29/2019 5:15 PM, 229240 bytes, A Adds the file pixel.js"="1/17/2019 4:18 PM, 177 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\_locales\en Adds the file messages.json"="2/5/2019 9:00 AM, 149 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\_metadata Adds the file computed_hashes.json"="2/5/2019 9:00 AM, 10446 bytes, A Adds the file verified_contents.json"="1/31/2019 1:45 PM, 3227 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\js Adds the file b.js"="1/22/2019 3:55 PM, 0 bytes, A Adds the file background.js"="1/31/2019 1:44 PM, 1985 bytes, A Adds the file data.js"="11/7/2018 11:36 AM, 3862 bytes, A Adds the file detailsUpdate.js"="1/16/2019 11:59 AM, 1523 bytes, A Adds the file dynamicData.json"="1/15/2019 5:52 PM, 478 bytes, A Adds the file fontawesome.js"="11/7/2018 11:36 AM, 9543 bytes, A Adds the file init.js"="1/16/2019 12:18 PM, 6583 bytes, A Adds the file initAnalytics.js"="11/7/2018 11:36 AM, 1277 bytes, A Adds the file jquery-3.3.1.min.js"="11/7/2018 6:39 PM, 271751 bytes, A Adds the file masonry.pkgd.min.js"="11/7/2018 11:36 AM, 26187 bytes, A Adds the file materialize.min.js"="11/7/2018 11:36 AM, 181214 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlakdjndmfmnpcagngkijpmhpbfngdnl Adds the file 000003.log"="2/5/2019 9:00 AM, 2876 bytes, A Adds the file CURRENT"="2/5/2019 9:00 AM, 16 bytes, A Adds the file LOCK"="2/5/2019 9:00 AM, 0 bytes, A Adds the file LOG"="2/5/2019 9:00 AM, 185 bytes, A Adds the file MANIFEST-000001"="2/5/2019 9:00 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\{a36d5211-070b-4021-bca1-1b73b2ce4d73} In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file {a36d5211-070b-4021-bca1-1b73b2ce4d73}.xpi"="2/5/2019 9:05 AM, 253254 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "dlakdjndmfmnpcagngkijpmhpbfngdnl"="REG_SZ", "E307B096C2061CB4FDB2F2CF0B78CC1D06D232CD84772F969B60768494CA817F" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/5/19 Scan Time: 9:11 AM Log File: a47e4bc4-291d-11e9-9cc6-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.9122 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235939 Threats Detected: 37 Threats Quarantined: 37 Time Elapsed: 4 min, 2 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.BestText4Fun, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|dlakdjndmfmnpcagngkijpmhpbfngdnl, Quarantined, [255], [631846],1.0.9122 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 8 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\_locales\en, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\_metadata, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\_locales, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\js, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\dlakdjndmfmnpcagngkijpmhpbfngdnl, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\dlakdjndmfmnpcagngkijpmhpbfngdnl, Quarantined, [255], [631846],1.0.9122 PUP.Optional.KittensNewTab, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\{A36D5211-070B-4021-BCA1-1B73B2CE4D73}, Quarantined, [1732], [634388],1.0.9122 File: 28 PUP.Optional.KittensNewTab, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\{A36D5211-070B-4021-BCA1-1B73B2CE4D73}.XPI, Quarantined, [1732], [634389],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\js\b.js, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\js\background.js, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\js\data.js, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\js\detailsUpdate.js, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\js\dynamicData.json, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\js\fontawesome.js, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\js\init.js, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\js\initAnalytics.js, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\js\jquery-3.3.1.min.js, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\js\masonry.pkgd.min.js, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\js\materialize.min.js, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\_locales\en\messages.json, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\_metadata\computed_hashes.json, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\_metadata\verified_contents.json, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\128.png, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\font.woff2, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\manifest.json, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\newtab.html, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\one.css, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlakdjndmfmnpcagngkijpmhpbfngdnl\1.6.3_0\pixel.js, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlakdjndmfmnpcagngkijpmhpbfngdnl\000003.log, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlakdjndmfmnpcagngkijpmhpbfngdnl\CURRENT, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlakdjndmfmnpcagngkijpmhpbfngdnl\LOCK, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlakdjndmfmnpcagngkijpmhpbfngdnl\LOG, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlakdjndmfmnpcagngkijpmhpbfngdnl\MANIFEST-000001, Quarantined, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [255], [631846],1.0.9122 PUP.Optional.BestText4Fun, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [255], [631846],1.0.9122 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  10. What is Search By MusixMuze?The Malwarebytes research team has determined that Search By MusixMuze is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Search By MusixMuze?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and this changed setting:How did Search By MusixMuze get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Search By MusixMuze?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Search By MusixMuze? No, Malwarebytes removes Search By MusixMuze completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Search By MusixMuze hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxp://musixmuze.searchalgo.com/search/?category=web&s=mmds&q={searchTerms} CHR DefaultSearchKeyword: Default -> MusixMuze CHR DefaultSuggestURL: Default -> hxxp://sug.searchalgo.com/search/index_sg.php?q={searchTerms} CHR Extension: (MusixMuze) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobjnmhjolomhiikmbglkomigcmlfhlo [2019-02-04] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobjnmhjolomhiikmbglkomigcmlfhlo\1.0.4_0 Adds the file background.js"="5/2/2018 4:10 PM, 4495 bytes, A Adds the file manifest.json"="2/4/2019 8:54 AM, 1800 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobjnmhjolomhiikmbglkomigcmlfhlo\1.0.4_0\_metadata Adds the file computed_hashes.json"="2/4/2019 8:54 AM, 183 bytes, A Adds the file verified_contents.json"="5/2/2018 4:10 PM, 1648 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobjnmhjolomhiikmbglkomigcmlfhlo\1.0.4_0\icons Adds the file icon128.png"="2/4/2019 8:54 AM, 4662 bytes, A Adds the file icon16.png"="2/4/2019 8:54 AM, 635 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "iobjnmhjolomhiikmbglkomigcmlfhlo"="REG_SZ", "323B47BA4E0148DF312B6E535C090BEA51C0034960C7BB9B8001A73CDFE0FBF5" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/4/19 Scan Time: 9:01 AM Log File: 048dcb46-2853-11e9-ac92-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.9104 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235883 Threats Detected: 15 Threats Quarantined: 15 Time Elapsed: 3 min, 17 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.Muze, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|iobjnmhjolomhiikmbglkomigcmlfhlo, Quarantined, [2290], [316919],1.0.9104 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 4 PUP.Optional.Muze, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobjnmhjolomhiikmbglkomigcmlfhlo\1.0.4_0\_metadata, Quarantined, [2290], [316919],1.0.9104 PUP.Optional.Muze, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobjnmhjolomhiikmbglkomigcmlfhlo\1.0.4_0\icons, Quarantined, [2290], [316919],1.0.9104 PUP.Optional.Muze, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobjnmhjolomhiikmbglkomigcmlfhlo\1.0.4_0, Quarantined, [2290], [316919],1.0.9104 PUP.Optional.Muze, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IOBJNMHJOLOMHIIKMBGLKOMIGCMLFHLO, Quarantined, [2290], [316919],1.0.9104 File: 10 PUP.Optional.Muze, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobjnmhjolomhiikmbglkomigcmlfhlo\1.0.4_0\icons\icon128.png, Quarantined, [2290], [316919],1.0.9104 PUP.Optional.Muze, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobjnmhjolomhiikmbglkomigcmlfhlo\1.0.4_0\icons\icon16.png, Quarantined, [2290], [316919],1.0.9104 PUP.Optional.Muze, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobjnmhjolomhiikmbglkomigcmlfhlo\1.0.4_0\_metadata\computed_hashes.json, Quarantined, [2290], [316919],1.0.9104 PUP.Optional.Muze, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobjnmhjolomhiikmbglkomigcmlfhlo\1.0.4_0\_metadata\verified_contents.json, Quarantined, [2290], [316919],1.0.9104 PUP.Optional.Muze, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobjnmhjolomhiikmbglkomigcmlfhlo\1.0.4_0\background.js, Quarantined, [2290], [316919],1.0.9104 PUP.Optional.Muze, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobjnmhjolomhiikmbglkomigcmlfhlo\1.0.4_0\manifest.json, Quarantined, [2290], [316919],1.0.9104 PUP.Optional.Muze, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [2290], [316919],1.0.9104 PUP.Optional.Muze, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [2290], [316919],1.0.9104 PUP.Optional.SearchAlgo, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [348], [454816],1.0.9104 PUP.Optional.SearchAlgo, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [348], [454816],1.0.9104 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  11. What is MapsFox?The Malwarebytes research team has determined that MapsFox is a potentially unwanted program (PUP) that behaves like adware. These adware applications display advertisements not originating from the sites you are browsing.Note: there was a Chrome extension for this software, but it had been removed from the Webstore at the time of writing.How do I know if my computer is affected by MapsFox?You may see these warnings during install:and this entry in your list of installed Firefox extensions:and this icon in the menu-bar of the affected browser(s):How did MapsFox get on my computer?Adware applications use different methods for distributing themselves. This particular one was downloaded from their website:How do I remove MapsFox?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of MapsFox? No, Malwarebytes removes MapsFox completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this adware.As you can see below the full version of Malwarebytes would have protected you against the ExpressDirections PUP. It would have blocked their website, giving you a chance to stop it before it became too late: Technical details for expertsPossible signs in FRST logs: FF Extension: (MapsFox) - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\{43a526a3-28ea-409f-933c-2ef3d9a0629b}.xpi [2019-02-01] Significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\{43a526a3-28ea-409f-933c-2ef3d9a0629b} Adds the file storage.js"="2/1/2019 10:29 AM, 2753 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file {43a526a3-28ea-409f-933c-2ef3d9a0629b}.xpi"="2/1/2019 10:28 AM, 317643 bytes, A Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/1/19 Scan Time: 10:32 AM Log File: 43391482-2604-11e9-a85c-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.9066 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235940 Threats Detected: 2 Threats Quarantined: 2 Time Elapsed: 3 min, 25 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 1 PUP.Optional.AdvertisingExt, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\{43A526A3-28EA-409F-933C-2EF3D9A0629B}, Quarantined, [1724], [629212],1.0.9066 File: 1 PUP.Optional.AdvertisingExt, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\{43A526A3-28EA-409F-933C-2EF3D9A0629B}\STORAGE.JS, Quarantined, [1724], [629212],1.0.9066 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  12. What is eSpeedDownload Search?The Malwarebytes research team has determined that eSpeedDownload Search is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by eSpeedDownload Search?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and this changed setting:How did eSpeedDownload Search get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove eSpeedDownload Search?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of eSpeedDownload Search? No, Malwarebytes removes eSpeedDownload Search completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the eSpeedDownload Search hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxp://apps.searchalgo.com/search/?category=web&s=sdds&q={searchTerms} CHR DefaultSearchKeyword: Default -> espeedDownload CHR DefaultSuggestURL: Default -> hxxp://sug.searchalgo.com/search/index_sg.php?q={searchTerms} CHR Extension: (eSpeedDownload) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd [2019-01-30] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0 Adds the file icons.html"="12/27/2015 11:20 AM, 190 bytes, A Adds the file manifest.json"="1/30/2019 4:49 PM, 2094 bytes, A Adds the file popup.css"="12/27/2015 11:20 AM, 6449 bytes, A Adds the file popup.html"="12/27/2015 11:20 AM, 3929 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\_locales\en Adds the file messages.json"="1/30/2019 4:49 PM, 12391 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\_metadata Adds the file computed_hashes.json"="1/30/2019 4:49 PM, 13802 bytes, A Adds the file verified_contents.json"="1/4/2016 4:19 PM, 7557 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\icons Adds the file icon128.png"="1/30/2019 4:49 PM, 9440 bytes, A Adds the file icon16.png"="1/30/2019 4:49 PM, 909 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\button Adds the file btn_save.png"="12/27/2015 11:20 AM, 2844 bytes, A Adds the file btn_save_hover.png"="12/27/2015 11:20 AM, 2851 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\icons Adds the file big_icon.jpg"="12/27/2015 11:20 AM, 1607 bytes, A Adds the file icon_19x19.png"="12/27/2015 11:20 AM, 4072 bytes, A Adds the file icon_38x38.png"="12/27/2015 11:20 AM, 4086 bytes, A Adds the file icon128.png"="12/27/2015 11:20 AM, 11945 bytes, A Adds the file icon16.png"="12/27/2015 11:20 AM, 1965 bytes, A Adds the file small_icon.png"="12/27/2015 11:20 AM, 1091 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\icons download Adds the file btn.png"="12/27/2015 11:20 AM, 2531 bytes, A Adds the file btn_hover.png"="12/27/2015 11:20 AM, 2546 bytes, A Adds the file frame.jpg"="12/27/2015 11:20 AM, 1291 bytes, A Adds the file v.png"="12/27/2015 11:20 AM, 1021 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\icons hover Adds the file danger.png"="12/27/2015 11:20 AM, 1917 bytes, A Adds the file delete.png"="12/27/2015 11:20 AM, 2076 bytes, A Adds the file folder.png"="12/27/2015 11:20 AM, 1840 bytes, A Adds the file frame.png"="12/27/2015 11:20 AM, 1414 bytes, A Adds the file pause.png"="12/27/2015 11:20 AM, 1457 bytes, A Adds the file play.png"="12/27/2015 11:20 AM, 1752 bytes, A Adds the file referrer.png"="12/27/2015 11:20 AM, 2490 bytes, A Adds the file refresh.png"="12/27/2015 11:20 AM, 2069 bytes, A Adds the file remove.png"="12/27/2015 11:20 AM, 1805 bytes, A Adds the file safe.png"="12/27/2015 11:20 AM, 1981 bytes, A Adds the file stop.png"="12/27/2015 11:20 AM, 1660 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\icons_tabs Adds the file delete.png"="12/27/2015 11:20 AM, 1398 bytes, A Adds the file filter.png"="12/27/2015 11:20 AM, 1338 bytes, A Adds the file folder.png"="12/27/2015 11:20 AM, 1298 bytes, A Adds the file search.png"="12/27/2015 11:20 AM, 1247 bytes, A Adds the file settings.png"="12/27/2015 11:20 AM, 1449 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\notification Adds the file open_folder.png"="12/27/2015 11:20 AM, 1435 bytes, A Adds the file pause.png"="12/27/2015 11:20 AM, 1217 bytes, A Adds the file show_download.png"="12/27/2015 11:20 AM, 1423 bytes, A Adds the file show_file.png"="12/27/2015 11:20 AM, 1416 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\js Adds the file auto_complete.js"="12/27/2015 11:20 AM, 2382 bytes, A Adds the file background2.js"="1/4/2016 4:22 PM, 6157 bytes, A Adds the file bootstrap.min.js"="12/27/2015 11:20 AM, 35607 bytes, A Adds the file content.js"="12/27/2015 11:20 AM, 4145 bytes, A Adds the file icons.js"="12/27/2015 11:20 AM, 222 bytes, A Adds the file jquery.min.js"="12/27/2015 11:20 AM, 93104 bytes, A Adds the file jquery-1.9.1.js"="12/27/2015 11:20 AM, 277978 bytes, A Adds the file jqueryui.min.js"="12/27/2015 11:20 AM, 228013 bytes, A Adds the file main.js"="12/27/2015 3:09 PM, 2671 bytes, A Adds the file popup.js"="12/27/2015 3:08 PM, 33991 bytes, A Adds the file search.js"="1/4/2016 3:24 PM, 527 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\json Adds the file mime.json"="12/27/2015 11:20 AM, 41146 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "cnbhdbbdefaakpmjbpibaadnhafincnd"="REG_SZ", "34B68A834D12248AA7AD870409AF43EEAED215751E2272E95FE64E88831DD3CE" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/30/19 Scan Time: 4:58 PM Log File: e1fd686a-24a7-11e9-b87e-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.9038 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235857 Threats Detected: 73 Threats Quarantined: 73 Time Elapsed: 4 min, 7 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SearchAlgo.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|cnbhdbbdefaakpmjbpibaadnhafincnd, Quarantined, [14597], [443230],1.0.9038 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 15 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\icons download, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\notification, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\icons hover, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\icons_tabs, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\button, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\icons, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\_locales\en, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\_metadata, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\_locales, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\icons, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\json, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\js, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CNBHDBBDEFAAKPMJBPIBAADNHAFINCND, Quarantined, [14597], [443230],1.0.9038 File: 57 PUP.Optional.SearchAlgo.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CNBHDBBDEFAAKPMJBPIBAADNHAFINCND\1.0.2_0\MANIFEST.JSON, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\icons\icon128.png, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\icons\icon16.png, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\button\btn_save.png, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\button\btn_save_hover.png, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\icons\big_icon.jpg, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\icons\icon128.png, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\icons\icon16.png, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\icons\icon_19x19.png, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\icons\icon_38x38.png, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\icons\small_icon.png, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\icons download\btn.png, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\icons download\btn_hover.png, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\icons download\frame.jpg, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\icons download\v.png, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\icons hover\danger.png, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\icons hover\delete.png, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\icons hover\folder.png, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\icons hover\frame.png, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\icons hover\pause.png, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\icons hover\play.png, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\icons hover\referrer.png, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\icons hover\refresh.png, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\icons hover\remove.png, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\icons hover\safe.png, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\icons hover\stop.png, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\icons_tabs\delete.png, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\icons_tabs\filter.png, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\icons_tabs\folder.png, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\icons_tabs\search.png, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\icons_tabs\settings.png, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\notification\open_folder.png, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\notification\pause.png, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\notification\show_download.png, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\images\notification\show_file.png, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\js\auto_complete.js, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\js\background2.js, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\js\bootstrap.min.js, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\js\content.js, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\js\icons.js, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\js\jquery-1.9.1.js, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\js\jquery.min.js, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\js\jqueryui.min.js, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\js\main.js, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\js\popup.js, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\js\search.js, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\json\mime.json, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\_locales\en\messages.json, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\_metadata\computed_hashes.json, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\_metadata\verified_contents.json, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\icons.html, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\popup.css, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnbhdbbdefaakpmjbpibaadnhafincnd\1.0.2_0\popup.html, Quarantined, [14597], [443230],1.0.9038 PUP.Optional.SearchAlgo, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [348], [454816],1.0.9038 PUP.Optional.SearchAlgo, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [348], [454816],1.0.9038 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  13. What is SecuryBrowse for Chrome?The Malwarebytes research team has determined that SecuryBrowse for Chrome is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by SecuryBrowse for Chrome?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and this changed setting:How did SecuryBrowse for Chrome get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove SecuryBrowse for Chrome?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of SecuryBrowse for Chrome? No, Malwarebytes removes SecuryBrowse for Chrome completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the SecuryBrowse for Chrome hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxp://search.securybrowse.com/?dss&yh&q={searchTerms} CHR DefaultSearchKeyword: Default -> securyBrowse CHR Extension: (securyBrowse) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fchgahponkgfomlgieipannlfanfbfak [2019-01-30] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fchgahponkgfomlgieipannlfanfbfak\1.3.617_0 Adds the file extenv.js"="4/10/2018 10:24 AM, 1444 bytes, A Adds the file init.js"="3/11/2018 3:35 PM, 4097 bytes, A Adds the file manifest.json"="1/30/2019 9:59 AM, 2142 bytes, A Adds the file popup.html"="3/11/2018 3:35 PM, 2767 bytes, A Adds the file popup.js"="3/11/2018 3:35 PM, 2092 bytes, A Adds the file safeUtils.js"="3/11/2018 3:35 PM, 426 bytes, A Adds the file settings.js"="3/11/2018 3:35 PM, 425 bytes, A Adds the file wa.png"="3/11/2018 3:35 PM, 68 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fchgahponkgfomlgieipannlfanfbfak\1.3.617_0\_metadata Adds the file computed_hashes.json"="1/30/2019 9:59 AM, 3117 bytes, A Adds the file verified_contents.json"="4/10/2018 11:56 AM, 2985 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fchgahponkgfomlgieipannlfanfbfak\1.3.617_0\external Adds the file jquery.js"="3/11/2018 3:35 PM, 86713 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fchgahponkgfomlgieipannlfanfbfak\1.3.617_0\icons Adds the file icon128.png"="1/30/2019 9:59 AM, 7268 bytes, A Adds the file icon128_warn.png"="2/22/2018 4:55 PM, 7186 bytes, A Adds the file icon16.png"="1/30/2019 9:59 AM, 7841 bytes, A Adds the file icon16_warn.png"="3/11/2018 3:35 PM, 7224 bytes, A Adds the file logo_med.png"="3/11/2018 3:35 PM, 9363 bytes, A Adds the file scanbg.png"="3/11/2018 3:35 PM, 32861 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fchgahponkgfomlgieipannlfanfbfak\1.3.617_0\js Adds the file background.js"="3/11/2018 3:35 PM, 10961 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fchgahponkgfomlgieipannlfanfbfak Adds the file 000003.log"="1/30/2019 9:59 AM, 0 bytes, A Adds the file CURRENT"="1/30/2019 9:59 AM, 16 bytes, A Adds the file LOCK"="1/30/2019 9:59 AM, 0 bytes, A Adds the file LOG"="1/30/2019 9:59 AM, 184 bytes, A Adds the file MANIFEST-000001"="1/30/2019 9:59 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "fchgahponkgfomlgieipannlfanfbfak"="REG_SZ", "C2FCA386A1E7A4F36E9487E83FC19B1C4A345AF0A14D5261275CD4493B493FDD" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/30/19 Scan Time: 10:08 AM Log File: a5055c76-246e-11e9-a29e-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.9032 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235842 Threats Detected: 34 Threats Quarantined: 34 Time Elapsed: 3 min, 29 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.SecuryBrowse, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|fchgahponkgfomlgieipannlfanfbfak, Quarantined, [259], [596810],1.0.9032 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fchgahponkgfomlgieipannlfanfbfak\1.3.617_0\_metadata, Quarantined, [259], [596810],1.0.9032 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fchgahponkgfomlgieipannlfanfbfak\1.3.617_0\external, Quarantined, [259], [596810],1.0.9032 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fchgahponkgfomlgieipannlfanfbfak\1.3.617_0\icons, Quarantined, [259], [596810],1.0.9032 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fchgahponkgfomlgieipannlfanfbfak\1.3.617_0\js, Quarantined, [259], [596810],1.0.9032 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fchgahponkgfomlgieipannlfanfbfak\1.3.617_0, Quarantined, [259], [596810],1.0.9032 PUP.Optional.SecuryBrowse, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Extensions\fchgahponkgfomlgieipannlfanfbfak, Quarantined, [259], [596810],1.0.9032 PUP.Optional.SecuryBrowse, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\fchgahponkgfomlgieipannlfanfbfak, Quarantined, [259], [596810],1.0.9032 File: 26 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fchgahponkgfomlgieipannlfanfbfak\1.3.617_0\external\jquery.js, Quarantined, [259], [596810],1.0.9032 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fchgahponkgfomlgieipannlfanfbfak\1.3.617_0\icons\icon128.png, Quarantined, [259], [596810],1.0.9032 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fchgahponkgfomlgieipannlfanfbfak\1.3.617_0\icons\icon128_warn.png, Quarantined, [259], [596810],1.0.9032 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fchgahponkgfomlgieipannlfanfbfak\1.3.617_0\icons\icon16.png, Quarantined, [259], [596810],1.0.9032 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fchgahponkgfomlgieipannlfanfbfak\1.3.617_0\icons\icon16_warn.png, Quarantined, [259], [596810],1.0.9032 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fchgahponkgfomlgieipannlfanfbfak\1.3.617_0\icons\logo_med.png, Quarantined, [259], [596810],1.0.9032 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fchgahponkgfomlgieipannlfanfbfak\1.3.617_0\icons\scanbg.png, Quarantined, [259], [596810],1.0.9032 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fchgahponkgfomlgieipannlfanfbfak\1.3.617_0\js\background.js, Quarantined, [259], [596810],1.0.9032 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fchgahponkgfomlgieipannlfanfbfak\1.3.617_0\_metadata\computed_hashes.json, Quarantined, [259], [596810],1.0.9032 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fchgahponkgfomlgieipannlfanfbfak\1.3.617_0\_metadata\verified_contents.json, Quarantined, [259], [596810],1.0.9032 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fchgahponkgfomlgieipannlfanfbfak\1.3.617_0\extenv.js, Quarantined, [259], [596810],1.0.9032 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fchgahponkgfomlgieipannlfanfbfak\1.3.617_0\init.js, Quarantined, [259], [596810],1.0.9032 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fchgahponkgfomlgieipannlfanfbfak\1.3.617_0\manifest.json, Quarantined, [259], [596810],1.0.9032 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fchgahponkgfomlgieipannlfanfbfak\1.3.617_0\popup.html, Quarantined, [259], [596810],1.0.9032 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fchgahponkgfomlgieipannlfanfbfak\1.3.617_0\popup.js, Quarantined, [259], [596810],1.0.9032 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fchgahponkgfomlgieipannlfanfbfak\1.3.617_0\safeUtils.js, Quarantined, [259], [596810],1.0.9032 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fchgahponkgfomlgieipannlfanfbfak\1.3.617_0\settings.js, Quarantined, [259], [596810],1.0.9032 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fchgahponkgfomlgieipannlfanfbfak\1.3.617_0\wa.png, Quarantined, [259], [596810],1.0.9032 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fchgahponkgfomlgieipannlfanfbfak\000003.log, Quarantined, [259], [596810],1.0.9032 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fchgahponkgfomlgieipannlfanfbfak\CURRENT, Quarantined, [259], [596810],1.0.9032 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fchgahponkgfomlgieipannlfanfbfak\LOCK, Quarantined, [259], [596810],1.0.9032 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fchgahponkgfomlgieipannlfanfbfak\LOG, Quarantined, [259], [596810],1.0.9032 PUP.Optional.SecuryBrowse, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fchgahponkgfomlgieipannlfanfbfak\MANIFEST-000001, Quarantined, [259], [596810],1.0.9032 PUP.Optional.SecuryBrowse, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [259], [596810],1.0.9032 PUP.Optional.SecuryBrowse, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [259], [596810],1.0.9032 PUP.Optional.SecuryBrowse, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [259], [596810],1.0.9032 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  14. What is Quick Maps And Directions?The Malwarebytes research team has determined that Quick Maps And Directions is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This one hijacks homepages and searchscopes.How do I know if my computer is affected by Quick Maps And Directions?You may see this entry in your list of installed software:and these warnings during install:these browser add-ons/extensions:and this changed default search engine:and you will see this new startpage or newtab in the affected browser(s):How did Quick Maps And Directions get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded through their website.How do I remove Quick Maps And Directions?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Quick Maps And Directions? No, Malwarebytes removes Quick Maps And Directions completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Quick Maps And Directions hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and it would have blocked access to their site: Technical details for expertsPossible signs in FRST logs: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.hquickmapsanddirections.com/?uid=ffacf9dc-0dc1-484b-bb45-74b383914b45&i_id=maps_spt__1.30&uc=20190129&ap=appfocus1&source=-lp0-bb9-iei SearchScopes: HKCU -> DefaultScope {2D4DE1EF-E4F6-4575-845B-9B6ACF178EB0} URL = hxxp://search.hquickmapsanddirections.com/s?uid=ffacf9dc-0dc1-484b-bb45-74b383914b45&i_id=maps_spt__1.30&uc=20190129&ap=appfocus1&source=-lp0-bb9-iei&query={searchTerms} SearchScopes: HKCU -> {2D4DE1EF-E4F6-4575-845B-9B6ACF178EB0} URL = hxxp://search.hquickmapsanddirections.com/s?uid=ffacf9dc-0dc1-484b-bb45-74b383914b45&i_id=maps_spt__1.30&uc=20190129&ap=appfocus1&source=-lp0-bb9-iei&query={searchTerms} FF HomepageOverride: Mozilla\Firefox\Profiles\{profile}.default -> Enabled: web@Maps FF NewTabOverride: Mozilla\Firefox\Profiles\{profile}.default -> Enabled: web@Maps FF Extension: (Maps) - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\web@Maps.xpi [2019-01-29] CHR NewTab: Default -> Active:"chrome-extension://clmhhlhnmdefjcebkphiefgdbglinjga/newtab/quicktab.html" CHR Extension: (Quick Maps and Directions) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga [2019-01-29] C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Quick Maps And Directions (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 4.4.0.3 - SpringTech Ltd.) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0 Adds the file after.js"="11/13/2018 2:10 PM, 950 bytes, A Adds the file background.js"="11/13/2018 2:11 PM, 12252 bytes, A Adds the file chromeRestore.js"="9/10/2018 12:14 PM, 2256 bytes, A Adds the file contentscript.js"="9/10/2018 12:14 PM, 1243 bytes, A Adds the file icon.png"="1/29/2019 9:41 AM, 5980 bytes, A Adds the file manifest.json"="1/29/2019 9:41 AM, 1464 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\_locales\en Adds the file messages.json"="1/29/2019 9:41 AM, 283 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\_metadata Adds the file computed_hashes.json"="1/29/2019 9:41 AM, 1264 bytes, A Adds the file verified_contents.json"="11/13/2018 2:48 PM, 2736 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\css Adds the file browserAction.css"="9/10/2018 12:14 PM, 95 bytes, A Adds the file description.css"="9/10/2018 12:14 PM, 1008 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\html\browserAction Adds the file browserAction.html"="9/10/2018 12:14 PM, 239 bytes, A Adds the file description.html"="9/10/2018 12:14 PM, 273 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\html\popup Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\js Adds the file userNewTab.js"="9/10/2018 12:14 PM, 1681 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\js\popup Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\newtab Adds the file quicktab.html"="9/10/2018 12:14 PM, 212 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\clmhhlhnmdefjcebkphiefgdbglinjga Adds the file 000003.log"="1/29/2019 9:41 AM, 301 bytes, A Adds the file CURRENT"="1/29/2019 9:41 AM, 16 bytes, A Adds the file LOCK"="1/29/2019 9:41 AM, 0 bytes, A Adds the file LOG"="1/29/2019 9:41 AM, 184 bytes, A Adds the file MANIFEST-000001"="1/29/2019 9:41 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Adds the file Uninstall.exe"="1/29/2019 9:36 AM, 320256 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\web@Maps Adds the file storage.js"="1/29/2019 9:39 AM, 350 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file web@Maps.xpi"="1/29/2019 9:39 AM, 12474 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "clmhhlhnmdefjcebkphiefgdbglinjga"="REG_SZ", "C3882B0C5E1DA0279158C01DB92D7DB8D59F05A978E1CE56F1E0EC0F07C8DB7C" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.hquickmapsanddirections.com/?uid=ffacf9dc-0dc1-484b-bb45-74b383914b45&i_id=maps_spt__1.30&uc=20190129&ap=appfocus1&source=-lp0-bb9-iei" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{2D4DE1EF-E4F6-4575-845B-9B6ACF178EB0}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{2D4DE1EF-E4F6-4575-845B-9B6ACF178EB0}] "DisplayName"="REG_SZ", "Quick Maps And Directions - Powered by Yahoo!" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.hquickmapsanddirections.com/s?uid=ffacf9dc-0dc1-484b-bb45-74b383914b45&i_id=maps_spt__1.30&uc=20190129&ap=appfocus1&source=-lp0-bb9-iei&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "Quick Maps And Directions" "DisplayVersion"="REG_SZ", "4.4.0.3" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\" "Publisher"="REG_SZ", "SpringTech Ltd." "UninstallDialog"="REG_DWORD", 2 "UninstallEngineID"="REG_SZ", "{2D4DE1EF-E4F6-4575-845B-9B6ACF178EB0}" "UninstallHomepage"="REG_SZ", "http://search.hquickmapsanddirections.com/?uid=ffacf9dc-0dc1-484b-bb45-74b383914b45&i_id=maps_spt__1.30&uc=20190129&ap=appfocus1&source=-lp0-bb9-iei" "UninstallImpression"="REG_SZ", "http://www.springdwnld2.com/impression.do?domain=hquickmapsanddirections.com&implementation_id=maps_spt__1.30&offer_id=_iei_&source=-lp0-bb9-iei&sub_id=20190129&traffic_source=appfocus1&user_id=ffacf9dc-0dc1-484b-bb45-74b383914b45&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&ts=1548750669&sgn=e83397fd3c3b2a355519227a73ce9e87e17824a0&subid2=11.0.9600.19236&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe" /uninstall" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/29/19 Scan Time: 9:52 AM Log File: 39d82530-23a3-11e9-bdf5-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.9014 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235789 Threats Detected: 46 Threats Quarantined: 46 Time Elapsed: 3 min, 12 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 2 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2D4DE1EF-E4F6-4575-845B-9B6ACF178EB0}, Quarantined, [220], [614252],1.0.9014 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Quarantined, [167], [373879],1.0.9014 Registry Value: 2 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2D4DE1EF-E4F6-4575-845B-9B6ACF178EB0}|URL, Quarantined, [220], [614252],1.0.9014 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|clmhhlhnmdefjcebkphiefgdbglinjga, Quarantined, [220], [530199],1.0.9014 Registry Data: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [220], [613776],1.0.9014 Data Stream: 0 (No malicious items detected) Folder: 15 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\{28E56CFB-E30E-4F66-85D8-339885B726B8}, Quarantined, [167], [373878],1.0.9014 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\clmhhlhnmdefjcebkphiefgdbglinjga, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\html\browserAction, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\_locales\en, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\html\popup, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\_metadata, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\js\popup, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\_locales, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\newtab, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\html, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\css, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\js, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CLMHHLHNMDEFJCEBKPHIEFGDBGLINJGA, Quarantined, [220], [530199],1.0.9014 PUP.Optional.PolarityTech.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\WEB@MAPS, Quarantined, [1714], [508613],1.0.9014 File: 26 PUP.Optional.PolarityTech.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\WEB@MAPS.XPI, Quarantined, [1714], [509072],1.0.9014 PUP.Optional.Spigot, C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe, Quarantined, [167], [373878],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\clmhhlhnmdefjcebkphiefgdbglinjga\000003.log, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\clmhhlhnmdefjcebkphiefgdbglinjga\CURRENT, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\clmhhlhnmdefjcebkphiefgdbglinjga\LOCK, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\clmhhlhnmdefjcebkphiefgdbglinjga\LOG, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\clmhhlhnmdefjcebkphiefgdbglinjga\MANIFEST-000001, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CLMHHLHNMDEFJCEBKPHIEFGDBGLINJGA\5.1_0\CHROMERESTORE.JS, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\css\browserAction.css, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\css\description.css, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\html\browserAction\browserAction.html, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\html\browserAction\description.html, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\js\userNewTab.js, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\newtab\quicktab.html, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\_locales\en\messages.json, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\_metadata\computed_hashes.json, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\_metadata\verified_contents.json, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\after.js, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\background.js, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\contentscript.js, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\icon.png, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\manifest.json, Quarantined, [220], [530199],1.0.9014 PUP.Optional.PolarityTech.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\WEB@MAPS\STORAGE.JS, Quarantined, [1714], [508613],1.0.9014 Generic.Malware/Suspicious, C:\USERS\{username}\DESKTOP\QUICKMAPSANDDIRECTIONS-11959808.EXE, Quarantined, [0], [392686],1.0.9014 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  15. What is DriverHive?The Malwarebytes research team has determined that DriverHive is a "driver updater". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.This installer for this particular one also is a bundler:How do I know if I am infected with DriverHive?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see these warnings during install:and these screens during "operations":You may see this entry in your list of installed programs:How did DriverHive get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove DriverHive?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of DriverHive? No, Malwarebytes removes DriverHive completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the DriverHive installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for expertsYou may see these entries in FRST logs: (Bootstrap Development, LLC.) C:\Program Files (x86)\DriverHive\DriverHive.exe (Bootstrap Development, LLC.) C:\Program Files (x86)\DriverHive\DriverHiveTray.exe HKLM-x32\...\Run: [DriverHiveTray] => C:\Program Files (x86)\DriverHive\DriverHiveTray.exe [2444328 2016-01-17] (Bootstrap Development, LLC.) C:\Users\{username}\AppData\Roaming\BSD C:\ProgramData\BSD C:\Users\{username}\Desktop\DriverHive.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverHive C:\Program Files (x86)\DriverHive (Bootstrap Development, LLC.) C:\Windows\bsdsetupDH.dll DriverHive (HKLM-x32\...\DriverHive_is1) (Version: - Bootstrap Development, LLC.) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\DriverHive Adds the file DPInst32.exe"="1/17/2016 12:31 PM, 545280 bytes, A Adds the file DPInst64.exe"="1/17/2016 12:31 PM, 670720 bytes, A Adds the file DriverHive Help.chm"="1/17/2016 12:30 PM, 53312 bytes, A Adds the file DriverHive.exe"="1/17/2016 12:44 PM, 4710952 bytes, A Adds the file DriverHiveTray.exe"="1/17/2016 12:44 PM, 2444328 bytes, A Adds the file PBLogo.bmp"="1/17/2016 12:31 PM, 19542 bytes, A Adds the file unins000.dat"="1/28/2019 8:43 AM, 60470 bytes, A Adds the file unins000.exe"="1/28/2019 8:42 AM, 736090 bytes, A Adds the file UninstallTrial.bmp"="1/17/2016 12:31 PM, 52190 bytes, A Adds the file ZipDll.dll"="1/17/2016 12:33 PM, 134144 bytes, A Adds the folder C:\ProgramData\BSD\DriverHive Adds the file history2.dat"="1/28/2019 8:44 AM, 63 bytes, A Adds the file scandet2.dat"="1/28/2019 8:44 AM, 53027 bytes, A Adds the file scansummary2.dat"="1/28/2019 8:44 AM, 208 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverHive Adds the file DriverHive.lnk"="1/28/2019 8:43 AM, 981 bytes, A Adds the file Help for DriverHive.lnk"="1/28/2019 8:43 AM, 1006 bytes, A Adds the file Uninstall DriverHive.lnk"="1/28/2019 8:43 AM, 971 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\BSD\DriverHive\Logs Adds the file DriverHive.log"="1/28/2019 8:44 AM, 0 bytes, A Adds the file DriverHiveTray.log"="1/28/2019 8:44 AM, 0 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch Adds the file DriverHive.lnk"="1/28/2019 8:43 AM, 987 bytes, A In the existing folder C:\Users\{username}\Desktop Adds the file DriverHive.lnk"="1/28/2019 8:43 AM, 963 bytes, A In the existing folder C:\Windows Adds the file bsdsetupDH.dll"="1/17/2016 12:42 PM, 1646592 bytes, A Alters the file win.ini 7/14/2009 7:09 AM, 403 bytes, A ==> 1/28/2019 8:44 AM, 486 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BSD\DriverHive] "AffParam"="REG_SZ", "BSD" "CCParam"="REG_SZ", "" "CheckForUpdates"="REG_DWORD", 1 "DownloadDirectory"="REG_SZ", "C:\Users\{username}\AppData\Local\Temp\" "DriverCls"="REG_SZ", "{59756760-558E-47EB-818B-91C883633BC4}" "DriverIgnoreList"="REG_SZ", "" "DriverUploadList"="REG_SZ", "" "Language"="REG_SZ", "en" "LastDisplay"="REG_BINARY, .... "LastUpdateCheck"="REG_BINARY, .... "LatestVersionOnServerBuild"="REG_DWORD", 0 "LatestVersionOnServerMajor"="REG_DWORD", 0 "LatestVersionOnServerMinor"="REG_DWORD", 0 "LatestVersionOnServerRelease"="REG_DWORD", 0 "NA"="REG_SZ", "C" "NC"="REG_SZ", "A" "NR"="REG_SZ", "C" "NW"="REG_SZ", "A" "ProxyAddress"="REG_SZ", "" "ProxyEnabled"="REG_DWORD", 0 "ProxyPassword"="REG_SZ", "" "ProxyPort"="REG_DWORD", 0 "ProxyUsername"="REG_SZ", "" "Samples"="REG_DWORD", 1 "ScanFrequency"="REG_DWORD", 7 "ShowGUIOnScan"="REG_DWORD", 0 "TTParam"="REG_DWORD", 255 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BSD\DriverHive\StorageHistory] [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "DriverHiveTray"="REG_SZ", "C:\Program Files (x86)\DriverHive\DriverHiveTray.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DriverHive_is1] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\DriverHive\DriverHive.exe" "DisplayName"="REG_SZ", "DriverHive" "HelpLink"="REG_SZ", "http://www.bootstrapdevelopment.com" "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\DriverHive" "Inno Setup: Deselected Tasks"="REG_SZ", "" "Inno Setup: Icon Group"="REG_SZ", "DriverHive" "Inno Setup: Selected Tasks"="REG_SZ", "desktopicon,quicklaunchicon" "Inno Setup: Setup Version"="REG_SZ", "5.3.5 (a)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20190128" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\DriverHive\" "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Bootstrap Development, LLC." "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\DriverHive\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\DriverHive\unins000.exe"" "URLInfoAbout"="REG_SZ", "http://www.bootstrapdevelopment.com" "URLUpdateInfo"="REG_SZ", "http://www.bootstrapdevelopment.com" [HKEY_CURRENT_USER\Software\Ask.com.tmp\General] "apn_dbr"="REG_SZ", "ff_64.0" "cbid"="REG_SZ", "^XT" "client"="REG_SZ", "ic" "clientv"="REG_SZ", "9.9.9.9" "cr"="REG_SZ", "1" "cr-homepageurl"="REG_SZ", "http://www.search.ask.com/?l=dis&o=16522cr" "crif"="REG_SZ", "1" "cr-o"="REG_SZ", "10148cr" "crumb"="REG_SZ", "2019.01.28+02.42.09-dubprdapntlfe9-NL-QW1zdGVyZGFtLE5ldGhlcmxhbmRz" "crx-path"="REG_SZ", "http://apnmedia.ask.com/media/toolbar/supertoolbar/chrome/BSP/1.15.25.0/aaaapoehmlbjgmbfaelmebaigekhbioa_7.15.25.0.crx" "dbr"="REG_SZ", "2" "dot"="REG_SZ", "6" "dt"="REG_SZ", "156" "dtid"="REG_SZ", "^YYYYYY^YY^NL" "eichk"="REG_SZ", "http://img.apnanalytics.com/images/nocache/apn/tr.gif?ev=eichk&p2=^XT^YYYYYY^YY^NL&encb={incbid}&chk={ic_chk}&ts={random}&guid={guid}&dt={dt}&wft={wft}&inst={inst}&tb={tb}&hos={hos}&harch={harch}&hloc={hloc}&iv={iv}&fv={fv}&dbr={dbr}&vb={vb}&msi={msi}&dot={dot}" "einst"="REG_SZ", "http://img.apnanalytics.com/images/nocache/apn/tr.gif?ev=einst&p2=^XT^YYYYYY^YY^NL&stb={wr_tbr}&ssa={wr_sa}&shpr={wr_hpr}&res={ci_res}&erc={ci_erc}&itime={itime}&hos={hos}&harch={harch}&hloc={hloc}&iv={iv}&fv={fv}&dbr={dbr}&vb={vb}&msi={msi}&ts={random}&guid={guid}&wft={wft}&dot={dot}&inst={inst}&tb={tb}&dt={dt}&erd={erd}" "ewrap"="REG_SZ", "http://img.apnanalytics.com/images/nocache/apn/tr.gif?ev=ewrap&p2=^XT^YYYYYY^YY^NL&stb={wr_tbr}&ssa={wr_sa}&shpr={wr_hpr}&param={param}&ts={random}&guid={guid}&dt={dt}&inst={inst}&tb={tb}&hos={hos}&harch={harch}&hloc={hloc}&iv={iv}&fv={fv}&dbr={dbr}&vb={vb}&msi={msi}&wft={wft}&dot={dot}&erd={erd}" "fflu"="REG_SZ", "-2" "ff-max-version"="REG_SZ", "13.*" "fv"="REG_SZ", "64.0 (x86 en-GB)" "guid"="REG_SZ", "b0bd4e99-9ba8-46a3-94cb-5f350b47f718" "harch"="REG_SZ", "64" "hloc"="REG_SZ", "en-US" "homepageurl"="REG_SZ", "http://www.search.ask.com/?l=dis&o=16522" "hos"="REG_SZ", "6.1.1.sp1.x64" "iedis"="REG_SZ", "1" "ielu"="REG_SZ", "-2" "iev"="REG_SZ", "9.11.9600.19236" "inst"="REG_SZ", "200" "iv"="REG_SZ", "9.11.9600.19236" "l"="REG_SZ", "dis" "locale"="REG_SZ", "en_NL" "location"="REG_SZ", "Amsterdam,Netherlands" "make-offer"="REG_SZ", "1" "nthp"="REG_SZ", "0" "o"="REG_SZ", "10148" "oi"="REG_SZ", "nop" "qsrc"="REG_SZ", "2871" "repurl"="REG_SZ", "http://img.apnanalytics.com/images/nocache/apn/tr.gif?ev=eichk&p2=^XT^YYYYYY^YY^NL&encb={incbid}&chk={ic_chk}&ts={random}&guid=" "saguid"="REG_SZ", "5e4265a0-9d62-488b-9284-1162176cc6f8" "same-partner"="REG_SZ", "0" "slwo"="REG_SZ", "0" "tb"="REG_SZ", "BSP" "tb-installer-path"="REG_SZ", "http://apnmedia.ask.com/media/toolbar/supertoolbar/profile-ask/EverestWrapper.exe" "tb-version"="REG_SZ", "5.15.25.0" "to"="REG_SZ", "" "wft"="REG_SZ", "remote" [HKEY_CURRENT_USER\Software\Ask.com.tmp\Installer] "cr-homepageurl"="REG_SZ", "http://www.search.ask.com/?l=dis&o=16522cr" "crif"="REG_SZ", "1" "eichk"="REG_SZ", "http://img.apnanalytics.com/images/nocache/apn/tr.gif?ev=eichk&p2=^XT^YYYYYY^YY^NL&encb={incbid}&chk={ic_chk}&ts={random}&guid={guid}&dt={dt}&wft={wft}&inst={inst}&tb={tb}&hos={hos}&harch={harch}&hloc={hloc}&iv={iv}&fv={fv}&dbr={dbr}&vb={vb}&msi={msi}&dot={dot}" "ff-max-version"="REG_SZ", "13.*" "guid"="REG_SZ", "b0bd4e99-9ba8-46a3-94cb-5f350b47f718" "homepageurl"="REG_SZ", "http://www.search.ask.com/?l=dis&o=16522" "make-offer"="REG_SZ", "1" "nthp"="REG_SZ", "0" "oi"="REG_SZ", "nop" "repurl"="REG_SZ", "http://img.apnanalytics.com/images/nocache/apn/tr.gif?ev=eichk&p2=^XT^YYYYYY^YY^NL&encb={incbid}&chk={ic_chk}&ts={random}&guid=" [HKEY_CURRENT_USER\Software\Ask.com.tmp\Macro] "cbid"="REG_SZ", "^XT" "cr-o"="REG_SZ", "10148cr" "crumb"="REG_SZ", "2019.01.28+02.42.09-dubprdapntlfe9-NL-QW1zdGVyZGFtLE5ldGhlcmxhbmRz" "dtid"="REG_SZ", "^YYYYYY^YY^NL" "l"="REG_SZ", "dis" "locale"="REG_SZ", "en_NL" "location"="REG_SZ", "Amsterdam,Netherlands" "o"="REG_SZ", "10148" "qsrc"="REG_SZ", "2871" "slwo"="REG_SZ", "0" "to"="REG_SZ", "" [HKEY_CURRENT_USER\Software\BSD\DriverHive] "MainFormHeight"="REG_DWORD", 750 "MainFormLeft"="REG_DWORD", -1 "MainFormMonitor"="REG_DWORD", 0 "MainFormState"="REG_DWORD", 0 "MainFormTop"="REG_DWORD", -1 "MainFormWidth"="REG_DWORD", 915 "ShowWelcome"="REG_DWORD", 1 [HKEY_CURRENT_USER\Software\BSD\PCZ] Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/28/19 Scan Time: 8:50 AM Log File: 64bfdcb6-22d1-11e9-a7b0-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.8990 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235667 Threats Detected: 34 Threats Quarantined: 34 Time Elapsed: 3 min, 17 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 2 PUP.Optional.DriverHive, C:\PROGRAM FILES (X86)\DRIVERHIVE\DRIVERHIVETRAY.EXE, Quarantined, [2912], [542206],1.0.8990 PUP.Optional.DriverHive, C:\Program Files (x86)\DriverHive\DriverHive.exe, Quarantined, [2912], [542200],1.0.8990 Module: 2 PUP.Optional.DriverHive, C:\PROGRAM FILES (X86)\DRIVERHIVE\DRIVERHIVETRAY.EXE, Quarantined, [2912], [542206],1.0.8990 PUP.Optional.DriverHive, C:\Program Files (x86)\DriverHive\DriverHive.exe, Quarantined, [2912], [542200],1.0.8990 Registry Key: 2 PUP.Optional.DriverHive, HKLM\SOFTWARE\WOW6432NODE\BSD\DriverHive, Quarantined, [2912], [542205],1.0.8990 PUP.Optional.DriverHive, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DriverHive_is1, Quarantined, [2912], [542207],1.0.8990 Registry Value: 1 PUP.Optional.DriverHive, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|DRIVERHIVETRAY, Quarantined, [2912], [542206],1.0.8990 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 6 PUP.Optional.ASK, C:\USERS\{username}\APPDATA\LOCAL\TEMP\APNLOGS, Quarantined, [2], [184754],1.0.8990 PUP.Optional.ASK.Gen, C:\USERS\{username}\APPDATA\LOCAL\TEMP\APN-STUB, Quarantined, [3598], [181296],1.0.8990 PUP.Optional.DriverHive, C:\Users\{username}\AppData\Roaming\BSD\DriverHive\Logs, Quarantined, [2912], [542201],1.0.8990 PUP.Optional.DriverHive, C:\USERS\{username}\APPDATA\ROAMING\BSD\DRIVERHIVE, Quarantined, [2912], [542201],1.0.8990 PUP.Optional.DriverHive, C:\PROGRAM FILES (X86)\DRIVERHIVE, Quarantined, [2912], [542200],1.0.8990 PUP.Optional.DriverHive, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DRIVERHIVE, Quarantined, [2912], [542202],1.0.8990 File: 21 PUP.Optional.ASK, C:\USERS\{username}\APPDATA\LOCAL\TEMP\APNLOGS\ic.log, Quarantined, [2], [184754],1.0.8990 PUP.Optional.ASK.Gen, C:\Users\{username}\AppData\Local\Temp\APN-Stub\Stb69d0002f-688a-42c9-9ef4-d8530ff9ec01.log, Quarantined, [3598], [181296],1.0.8990 PUP.Optional.DriverHive, C:\USERS\{username}\APPDATA\ROAMING\BSD\DRIVERHIVE\LOGS\DriverHive.log, Quarantined, [2912], [542201],1.0.8990 PUP.Optional.DriverHive, C:\Users\{username}\AppData\Roaming\BSD\DriverHive\Logs\DriverHiveTray.log, Quarantined, [2912], [542201],1.0.8990 PUP.Optional.DriverHive, C:\USERS\{username}\DESKTOP\DRIVERHIVE.LNK, Quarantined, [2912], [542204],1.0.8990 PUP.Optional.DriverHive, C:\USERS\{username}\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\DRIVERHIVE.LNK, Quarantined, [2912], [542203],1.0.8990 PUP.Optional.DriverHive, C:\PROGRAM FILES (X86)\DRIVERHIVE\DRIVERHIVETRAY.EXE, Quarantined, [2912], [542206],1.0.8990 PUP.Optional.DriverHive, C:\Program Files (x86)\DriverHive\DPInst32.exe, Quarantined, [2912], [542200],1.0.8990 PUP.Optional.DriverHive, C:\Program Files (x86)\DriverHive\DPInst64.exe, Quarantined, [2912], [542200],1.0.8990 PUP.Optional.DriverHive, C:\Program Files (x86)\DriverHive\DriverHive Help.chm, Quarantined, [2912], [542200],1.0.8990 PUP.Optional.DriverHive, C:\Program Files (x86)\DriverHive\DriverHive.exe, Quarantined, [2912], [542200],1.0.8990 PUP.Optional.DriverHive, C:\Program Files (x86)\DriverHive\PBLogo.bmp, Quarantined, [2912], [542200],1.0.8990 PUP.Optional.DriverHive, C:\Program Files (x86)\DriverHive\unins000.dat, Quarantined, [2912], [542200],1.0.8990 PUP.Optional.DriverHive, C:\Program Files (x86)\DriverHive\unins000.exe, Quarantined, [2912], [542200],1.0.8990 PUP.Optional.DriverHive, C:\Program Files (x86)\DriverHive\UninstallTrial.bmp, Quarantined, [2912], [542200],1.0.8990 PUP.Optional.DriverHive, C:\Program Files (x86)\DriverHive\ZipDll.dll, Quarantined, [2912], [542200],1.0.8990 PUP.Optional.DriverHive, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverHive\DriverHive.lnk, Quarantined, [2912], [542202],1.0.8990 PUP.Optional.DriverHive, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverHive\Help for DriverHive.lnk, Quarantined, [2912], [542202],1.0.8990 PUP.Optional.DriverHive, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverHive\Uninstall DriverHive.lnk, Quarantined, [2912], [542202],1.0.8990 PUP.Optional.DriverHive, C:\USERS\{username}\DESKTOP\DRIVERHIVETRIALSETUP.EXE, Quarantined, [2912], [542209],1.0.8990 PUP.Optional.DriverHive, C:\USERS\{username}\DOWNLOADS\DRIVERHIVETRIALSETUP.EXE, Quarantined, [2912], [542209],1.0.8990 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  16. What is ExpressDirections?The Malwarebytes research team has determined that ExpressDirections is a potentially unwanted program (PUP) that behaves like adware. These adware applications display advertisements not originating from the sites you are browsing.How do I know if my computer is affected by ExpressDirections?You may see these warnings during install:these browser extensions:and this icon in the menu-bar of the affected browser(s):How did ExpressDirections get on my computer?Adware applications use different methods for distributing themselves. Bothe extensions were installed from their website:The Chrome extensions after a redirect to the webstore:How do I remove ExpressDirections?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of ExpressDirections? No, Malwarebytes removes ExpressDirections completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this adware.As you can see below the full version of Malwarebytes would have protected you against the ExpressDirections PUP. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: FF Extension: (ExpressDirections) - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\{4c50cefd-8f14-41ab-b719-8606b116d1c2}.xpi [2019-01-25] CHR Extension: (ExpressDirections Promos) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl [2019-01-25] Significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0 Adds the file includeabstractor.js"="11/23/2018 9:35 AM, 1141 bytes, A Adds the file manifest.json"="1/25/2019 9:13 AM, 2674 bytes, A Adds the file notifytheme.js"="11/23/2018 9:35 AM, 2602 bytes, A Adds the file segmentaccount.js"="11/23/2018 9:35 AM, 6853 bytes, A Adds the file servetext.js"="11/23/2018 9:35 AM, 3416 bytes, A Adds the file showservice.js"="11/23/2018 9:35 AM, 1774 bytes, A Adds the file shredticket.js"="11/23/2018 9:35 AM, 8132 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\_metadata Adds the file computed_hashes.json"="1/25/2019 9:13 AM, 22335 bytes, A Adds the file verified_contents.json"="11/23/2018 9:35 AM, 10803 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\core Adds the file includeabstractor.js"="11/23/2018 9:35 AM, 52086 bytes, A Adds the file notifytheme.js"="11/23/2018 9:35 AM, 31142 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\css Adds the file backcomp.css"="11/23/2018 9:35 AM, 1737 bytes, A Adds the file bb-ta-template.css"="11/23/2018 9:35 AM, 1257 bytes, A Adds the file lbx-template.css"="11/23/2018 9:35 AM, 1139 bytes, A Adds the file style.css"="11/23/2018 9:35 AM, 6099 bytes, A Adds the file tl-template.css"="11/23/2018 9:35 AM, 10277 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\html Adds the file background.html"="11/23/2018 9:35 AM, 308 bytes, A Adds the file bb-ta-template.html"="11/23/2018 9:35 AM, 867 bytes, A Adds the file lbx-template.html"="11/23/2018 9:35 AM, 488 bytes, A Adds the file tl-template.html"="11/23/2018 9:35 AM, 3821 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\icons Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\images Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\js Adds the file vast.js"="11/23/2018 9:35 AM, 42967 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\js\background Adds the file require-config.js"="11/23/2018 9:35 AM, 1139 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\js\bb-ta-template Adds the file require-config.js"="11/23/2018 9:35 AM, 140 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\js\content Adds the file require-config.js"="11/23/2018 9:35 AM, 1859 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\js\lbx-template Adds the file require-config.js"="11/23/2018 9:35 AM, 285 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\js\tl-template Adds the file require-config.js"="11/23/2018 9:35 AM, 266 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\js_ Adds the file accessaccess.js"="11/23/2018 9:35 AM, 70087 bytes, A Adds the file acquisitionparameters.js"="11/23/2018 9:35 AM, 30057 bytes, A Adds the file cyclenotification.js"="11/23/2018 9:35 AM, 15405 bytes, A Adds the file cycletext.js"="11/23/2018 9:35 AM, 35732 bytes, A Adds the file fillvalues.js"="11/23/2018 9:35 AM, 47054 bytes, A Adds the file notifyname.js"="11/23/2018 9:35 AM, 46658 bytes, A Adds the file putsystem.js"="11/23/2018 9:35 AM, 42303 bytes, A Adds the file seekservice.js"="11/23/2018 9:35 AM, 28658 bytes, A Adds the file segmentaccount.js"="11/23/2018 9:35 AM, 31663 bytes, A Adds the file servevalue.js"="11/23/2018 9:35 AM, 35402 bytes, A Adds the file settlevalues.js"="11/23/2018 9:35 AM, 22206 bytes, A Adds the file substracthandle.js"="11/23/2018 9:35 AM, 1603 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\lib Adds the file pako.js"="11/23/2018 9:35 AM, 295784 bytes, A Adds the file Readability.js"="11/23/2018 9:35 AM, 63902 bytes, A Adds the file require.js"="11/23/2018 9:35 AM, 86328 bytes, A Adds the file require-content.js"="11/23/2018 9:35 AM, 410 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\main Adds the file aborttier.js"="11/23/2018 9:35 AM, 8835 bytes, A Adds the file digproject.js"="11/23/2018 9:35 AM, 919 bytes, A Adds the file digtext.js"="11/23/2018 9:35 AM, 645 bytes, A Adds the file incrementlist.js"="11/23/2018 9:35 AM, 988 bytes, A Adds the file incrementlistA.js"="11/23/2018 9:35 AM, 14679 bytes, A Adds the file incrementlistB.js"="11/23/2018 9:35 AM, 19087 bytes, A Adds the file isboolsession.js"="11/23/2018 9:35 AM, 4579 bytes, A Adds the file maketool.js"="11/23/2018 9:35 AM, 1602 bytes, A Adds the file replacecounter.js"="11/23/2018 9:35 AM, 7535 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\src Adds the file accumulatestore.js"="11/23/2018 9:35 AM, 4425 bytes, A Adds the file appearcounter.js"="11/23/2018 9:35 AM, 5193 bytes, A Adds the file includeservice.js"="11/23/2018 9:35 AM, 89981 bytes, A Adds the file leavepractical.js"="11/23/2018 9:35 AM, 44697 bytes, A Adds the file putconfigs.js"="11/23/2018 9:35 AM, 3048 bytes, A Adds the file replaceconfigs.js"="11/23/2018 9:35 AM, 3066 bytes, A Adds the file replacesignal.js"="11/23/2018 9:35 AM, 21530 bytes, A Adds the file servetext.js"="11/23/2018 9:35 AM, 27101 bytes, A Adds the file testserver.js"="11/23/2018 9:35 AM, 2024 bytes, A Adds the file tooglegate.js"="11/23/2018 9:35 AM, 25964 bytes, A Adds the file viewpoint.js"="11/23/2018 9:35 AM, 753 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mjchijabihjkhmmaaihpgmhkklgakinl Adds the file 000003.log"="1/25/2019 9:15 AM, 2910 bytes, A Adds the file CURRENT"="1/25/2019 9:13 AM, 16 bytes, A Adds the file LOCK"="1/25/2019 9:13 AM, 0 bytes, A Adds the file LOG"="1/25/2019 9:13 AM, 185 bytes, A Adds the file MANIFEST-000001"="1/25/2019 9:13 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\{4c50cefd-8f14-41ab-b719-8606b116d1c2} Adds the file storage.js"="1/25/2019 9:18 AM, 2799 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file {4c50cefd-8f14-41ab-b719-8606b116d1c2}.xpi"="1/25/2019 9:17 AM, 320736 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "mjchijabihjkhmmaaihpgmhkklgakinl"="REG_SZ", "B903614B1B6CB6CAAA491C3CBDA7776F42FDC758F621EC64191930E8166E50F9" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/25/19 Scan Time: 9:22 AM Log File: 5ade47eb-207a-11e9-bdaf-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.8960 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235681 Threats Detected: 113 Threats Quarantined: 113 Time Elapsed: 3 min, 25 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.AdvertisingExt, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|mjchijabihjkhmmaaihpgmhkklgakinl, Quarantined, [1720], [629211],1.0.8960 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 20 PUP.Optional.AdvertisingExt, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\mjchijabihjkhmmaaihpgmhkklgakinl, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\js\bb-ta-template, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\js\lbx-template, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\js\tl-template, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\js\background, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\js\content, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\_metadata, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\images, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\icons, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\core, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\html, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\main, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\css, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\js_, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\lib, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\src, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\MJCHIJABIHJKHMMAAIHPGMHKKLGAKINL, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\{4C50CEFD-8F14-41AB-B719-8606B116D1C2}, Quarantined, [1720], [629212],1.0.8960 File: 92 PUP.Optional.ExpressDirections, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\{4C50CEFD-8F14-41AB-B719-8606B116D1C2}.XPI, Quarantined, [4693], [628838],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mjchijabihjkhmmaaihpgmhkklgakinl\000003.log, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mjchijabihjkhmmaaihpgmhkklgakinl\CURRENT, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mjchijabihjkhmmaaihpgmhkklgakinl\LOCK, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mjchijabihjkhmmaaihpgmhkklgakinl\LOG, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mjchijabihjkhmmaaihpgmhkklgakinl\MANIFEST-000001, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\MJCHIJABIHJKHMMAAIHPGMHKKLGAKINL\200.7835.1047.33_0\MANIFEST.JSON, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\core\includeabstractor.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\core\notifytheme.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\css\backcomp.css, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\css\bb-ta-template.css, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\css\lbx-template.css, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\css\style.css, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\css\tl-template.css, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\html\background.html, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\html\bb-ta-template.html, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\html\lbx-template.html, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\html\tl-template.html, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\icons\128.png, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\icons\16.png, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\icons\19.png, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\icons\32.png, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\icons\38.png, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\icons\48.png, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\icons\64.png, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\images\ads.svg, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\images\clicks.svg, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\images\close.svg, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\images\h.png, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\images\h_on.png, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\images\overlay-close.png, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\images\overlay-question.png, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\images\questionmark.svg, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\images\trans_close.gif, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\images\trans_question.gif, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\images\trans_separator.gif, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\images\views.svg, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\images\x.png, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\images\x_on.png, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\js\background\require-config.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\js\bb-ta-template\require-config.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\js\content\require-config.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\js\lbx-template\require-config.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\js\tl-template\require-config.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\js\vast.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\js_\accessaccess.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\js_\acquisitionparameters.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\js_\cyclenotification.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\js_\cycletext.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\js_\fillvalues.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\js_\notifyname.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\js_\putsystem.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\js_\seekservice.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\js_\segmentaccount.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\js_\servevalue.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\js_\settlevalues.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\js_\substracthandle.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\lib\pako.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\lib\Readability.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\lib\require-content.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\lib\require.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\main\aborttier.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\main\digproject.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\main\digtext.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\main\incrementlist.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\main\incrementlistA.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\main\incrementlistB.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\main\isboolsession.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\main\maketool.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\main\replacecounter.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\src\accumulatestore.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\src\appearcounter.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\src\includeservice.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\src\leavepractical.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\src\putconfigs.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\src\replaceconfigs.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\src\replacesignal.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\src\servetext.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\src\testserver.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\src\tooglegate.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\src\viewpoint.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\_metadata\computed_hashes.json, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\_metadata\verified_contents.json, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\includeabstractor.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\notifytheme.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\segmentaccount.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\servetext.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\showservice.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjchijabihjkhmmaaihpgmhkklgakinl\200.7835.1047.33_0\shredticket.js, Quarantined, [1720], [629211],1.0.8960 PUP.Optional.AdvertisingExt, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\{4C50CEFD-8F14-41AB-B719-8606B116D1C2}\STORAGE.JS, Quarantined, [1720], [629212],1.0.8960 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  17. What is Search By Zooms?The Malwarebytes research team has determined that Search By Zooms is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Search By Zooms?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and this changed setting:How did Search By Zooms get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:promoted by their website:How do I remove Search By Zooms?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Search By Zooms? No, Malwarebytes removes Search By Zooms completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Search By Zooms hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxp://zooms.searchalgo.com/search/?category=web&s=zds&q={searchTerms} CHR DefaultSearchKeyword: Default -> My Search CHR DefaultSuggestURL: Default -> hxxp://sug.searchalgo.com/search/index_sg.php?q={searchTerms} CHR Extension: (My Search) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmlkknmhomikheehibdnedjampadffh [2019-01-24] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmlkknmhomikheehibdnedjampadffh\1.2.2_0 Adds the file background.js"="3/9/2015 9:06 AM, 225 bytes, A Adds the file manifest.json"="1/24/2019 10:14 AM, 1953 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmlkknmhomikheehibdnedjampadffh\1.2.2_0\_metadata Adds the file computed_hashes.json"="1/24/2019 10:14 AM, 5270 bytes, A Adds the file verified_contents.json"="3/10/2015 3:32 PM, 3608 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmlkknmhomikheehibdnedjampadffh\1.2.2_0\extensions_base Adds the file domains.json"="3/8/2015 11:49 AM, 179 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmlkknmhomikheehibdnedjampadffh\1.2.2_0\extensions_base\basejs Adds the file base.js"="3/10/2015 2:40 PM, 5502 bytes, A Adds the file content-newtab.js"="3/10/2015 3:00 PM, 506 bytes, A Adds the file jquery-1.9.1.js"="3/8/2015 11:49 AM, 277978 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmlkknmhomikheehibdnedjampadffh\1.2.2_0\extensions_base\basejs\products Adds the file baseParameters.js"="3/9/2015 3:53 PM, 427 bytes, A Adds the file espeedcheck_parameters.js"="3/9/2015 3:53 PM, 429 bytes, A Adds the file espeedcheck_parameters_ds.js"="3/9/2015 3:53 PM, 427 bytes, A Adds the file espeedcheck_parameters_nt.js"="3/9/2015 3:53 PM, 427 bytes, A Adds the file gozooms_parameters_ds.js"="3/9/2015 3:53 PM, 414 bytes, A Adds the file gozooms_parameters_nt.js"="3/9/2015 3:53 PM, 396 bytes, A Adds the file wiki_parameters.js"="3/9/2015 3:53 PM, 424 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmlkknmhomikheehibdnedjampadffh\1.2.2_0\icons Adds the file icon_128.png"="1/24/2019 10:14 AM, 5398 bytes, A Adds the file icon_16.png"="2/16/2015 6:22 PM, 1736 bytes, A Adds the file icon_32.png"="2/16/2015 6:22 PM, 2856 bytes, A Adds the file icon_64.png"="2/16/2015 6:22 PM, 4934 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "gpmlkknmhomikheehibdnedjampadffh"="REG_SZ", "66B445A6C917C61EDD353C24D66E3D1058CD45A7D4CBE7703B10BA72897FF7CB" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/24/19 Scan Time: 10:22 AM Log File: 880f2bce-1fb9-11e9-9186-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.8946 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235741 Threats Detected: 31 Threats Quarantined: 31 Time Elapsed: 3 min, 10 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.MySearch.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|gpmlkknmhomikheehibdnedjampadffh, Quarantined, [1869], [443176],1.0.8946 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmlkknmhomikheehibdnedjampadffh\1.2.2_0\extensions_base\basejs\products, Quarantined, [1869], [443176],1.0.8946 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmlkknmhomikheehibdnedjampadffh\1.2.2_0\extensions_base\basejs, Quarantined, [1869], [443176],1.0.8946 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmlkknmhomikheehibdnedjampadffh\1.2.2_0\extensions_base, Quarantined, [1869], [443176],1.0.8946 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmlkknmhomikheehibdnedjampadffh\1.2.2_0\_metadata, Quarantined, [1869], [443176],1.0.8946 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmlkknmhomikheehibdnedjampadffh\1.2.2_0\icons, Quarantined, [1869], [443176],1.0.8946 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmlkknmhomikheehibdnedjampadffh\1.2.2_0, Quarantined, [1869], [443176],1.0.8946 PUP.Optional.MySearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GPMLKKNMHOMIKHEEHIBDNEDJAMPADFFH, Quarantined, [1869], [443176],1.0.8946 File: 23 PUP.Optional.MySearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1869], [443176],1.0.8946 PUP.Optional.MySearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1869], [443176],1.0.8946 PUP.Optional.MySearch.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GPMLKKNMHOMIKHEEHIBDNEDJAMPADFFH\1.2.2_0\MANIFEST.JSON, Quarantined, [1869], [443176],1.0.8946 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmlkknmhomikheehibdnedjampadffh\1.2.2_0\extensions_base\basejs\products\baseParameters.js, Quarantined, [1869], [443176],1.0.8946 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmlkknmhomikheehibdnedjampadffh\1.2.2_0\extensions_base\basejs\products\espeedcheck_parameters.js, Quarantined, [1869], [443176],1.0.8946 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmlkknmhomikheehibdnedjampadffh\1.2.2_0\extensions_base\basejs\products\espeedcheck_parameters_ds.js, Quarantined, [1869], [443176],1.0.8946 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmlkknmhomikheehibdnedjampadffh\1.2.2_0\extensions_base\basejs\products\espeedcheck_parameters_nt.js, Quarantined, [1869], [443176],1.0.8946 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmlkknmhomikheehibdnedjampadffh\1.2.2_0\extensions_base\basejs\products\gozooms_parameters_ds.js, Quarantined, [1869], [443176],1.0.8946 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmlkknmhomikheehibdnedjampadffh\1.2.2_0\extensions_base\basejs\products\gozooms_parameters_nt.js, Quarantined, [1869], [443176],1.0.8946 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmlkknmhomikheehibdnedjampadffh\1.2.2_0\extensions_base\basejs\products\wiki_parameters.js, Quarantined, [1869], [443176],1.0.8946 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmlkknmhomikheehibdnedjampadffh\1.2.2_0\extensions_base\basejs\base.js, Quarantined, [1869], [443176],1.0.8946 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmlkknmhomikheehibdnedjampadffh\1.2.2_0\extensions_base\basejs\content-newtab.js, Quarantined, [1869], [443176],1.0.8946 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmlkknmhomikheehibdnedjampadffh\1.2.2_0\extensions_base\basejs\jquery-1.9.1.js, Quarantined, [1869], [443176],1.0.8946 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmlkknmhomikheehibdnedjampadffh\1.2.2_0\extensions_base\domains.json, Quarantined, [1869], [443176],1.0.8946 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmlkknmhomikheehibdnedjampadffh\1.2.2_0\icons\icon_128.png, Quarantined, [1869], [443176],1.0.8946 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmlkknmhomikheehibdnedjampadffh\1.2.2_0\icons\icon_16.png, Quarantined, [1869], [443176],1.0.8946 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmlkknmhomikheehibdnedjampadffh\1.2.2_0\icons\icon_32.png, Quarantined, [1869], [443176],1.0.8946 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmlkknmhomikheehibdnedjampadffh\1.2.2_0\icons\icon_64.png, Quarantined, [1869], [443176],1.0.8946 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmlkknmhomikheehibdnedjampadffh\1.2.2_0\_metadata\computed_hashes.json, Quarantined, [1869], [443176],1.0.8946 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmlkknmhomikheehibdnedjampadffh\1.2.2_0\_metadata\verified_contents.json, Quarantined, [1869], [443176],1.0.8946 PUP.Optional.MySearch.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmlkknmhomikheehibdnedjampadffh\1.2.2_0\background.js, Quarantined, [1869], [443176],1.0.8946 PUP.Optional.SearchAlgo, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [348], [454816],1.0.8946 PUP.Optional.SearchAlgo, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [348], [454816],1.0.8946 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  18. What is PowerGamesNetwork ads?The Malwarebytes research team has determined that PowerGamesNetwork ads is a potentially unwanted program that behaves like adware. These adware applications display advertisements not originating from the sites you are browsing.How do I know if my computer is affected by PowerGamesNetwork ads?You may see these warnings during install:this icon in the menu-bar of the affected browser:and these browser extensions:How did PowerGamesNetwork ads get on my computer?Adware applications use different methods for distributing themselves. This particular one was downloaded from their website:the Chrome extension after a redirect to the webstore:How do I remove PowerGamesNetwork ads?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of PowerGamesNetwork ads? No, Malwarebytes removes PowerGamesNetwork ads completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this adware.As you can see below the full version of Malwarebytes would have protected you against the PowerGamesNetwork ads adware. We protect our customers from these extensions by blocking the sites that spread them: Technical details for expertsPossible signs in FRST logs: FF Extension: (PowerGamesNetwork ads) - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\{89ac12b3-2da6-423f-afdd-a755925070d9}.xpi [2019-01-23] CHR Extension: (PowerGamesNetwork ads) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iclllcgfogjnjkmjepkffmnbggobdidd [2019-01-23] Significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iclllcgfogjnjkmjepkffmnbggobdidd\8.1.1.5_0 Adds the file adentify.js"="12/7/2018 5:21 PM, 163761 bytes, A Adds the file background.html"="12/7/2018 5:21 PM, 178 bytes, A Adds the file background.js"="12/7/2018 5:21 PM, 141102 bytes, A Adds the file content.js"="12/7/2018 5:21 PM, 46239 bytes, A Adds the file inimgContent.js"="12/7/2018 5:21 PM, 102596 bytes, A Adds the file install.js"="12/7/2018 5:21 PM, 407 bytes, A Adds the file intextContent.js"="12/7/2018 5:21 PM, 118681 bytes, A Adds the file intextstyle.css"="12/7/2018 5:21 PM, 1613 bytes, A Adds the file manifest.json"="1/23/2019 8:52 AM, 1955 bytes, A Adds the file overlay_style.css"="12/7/2018 5:21 PM, 14208 bytes, A Adds the file vsframe.js"="12/7/2018 5:21 PM, 21774 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iclllcgfogjnjkmjepkffmnbggobdidd\8.1.1.5_0\_metadata Adds the file computed_hashes.json"="1/23/2019 8:52 AM, 8129 bytes, A Adds the file verified_contents.json"="12/11/2018 1:43 PM, 2860 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iclllcgfogjnjkmjepkffmnbggobdidd\8.1.1.5_0\img Adds the file close.svg"="12/7/2018 5:21 PM, 1594 bytes, A Adds the file icon.png"="1/23/2019 8:52 AM, 12857 bytes, A Adds the file icon48.png"="1/23/2019 8:52 AM, 4663 bytes, A Adds the file info.svg"="12/7/2018 5:21 PM, 1251 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iclllcgfogjnjkmjepkffmnbggobdidd Adds the file 000003.log"="1/23/2019 8:52 AM, 0 bytes, A Adds the file CURRENT"="1/23/2019 8:52 AM, 16 bytes, A Adds the file LOCK"="1/23/2019 8:52 AM, 0 bytes, A Adds the file LOG"="1/23/2019 8:52 AM, 0 bytes, A Adds the file MANIFEST-000001"="1/23/2019 8:52 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iclllcgfogjnjkmjepkffmnbggobdidd Adds the file 000003.log"="1/23/2019 8:52 AM, 0 bytes, A Adds the file CURRENT"="1/23/2019 8:52 AM, 16 bytes, A Adds the file LOCK"="1/23/2019 8:52 AM, 0 bytes, A Adds the file LOG"="1/23/2019 8:52 AM, 0 bytes, A Adds the file MANIFEST-000001"="1/23/2019 8:52 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\{89ac12b3-2da6-423f-afdd-a755925070d9} In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file {89ac12b3-2da6-423f-afdd-a755925070d9}.xpi"="1/23/2019 8:54 AM, 649104 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "iclllcgfogjnjkmjepkffmnbggobdidd"="REG_SZ", "7ED9D96B55E437F680A8A3077E75D7893DF1857170E08E65630A61A12972D2A7" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/23/19 Scan Time: 11:59 AM Log File: 02c5e392-1efe-11e9-81b5-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.8932 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235728 Threats Detected: 37 Threats Quarantined: 37 Time Elapsed: 3 min, 57 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.PowerGamesNetWorkAds, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|iclllcgfogjnjkmjepkffmnbggobdidd, Quarantined, [2180], [625498],1.0.8932 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 6 PUP.Optional.PowerGamesNetWorkAds, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iclllcgfogjnjkmjepkffmnbggobdidd\8.1.1.5_0\_metadata, Quarantined, [2180], [625498],1.0.8932 PUP.Optional.PowerGamesNetWorkAds, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iclllcgfogjnjkmjepkffmnbggobdidd\8.1.1.5_0\img, Quarantined, [2180], [625498],1.0.8932 PUP.Optional.PowerGamesNetWorkAds, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iclllcgfogjnjkmjepkffmnbggobdidd\8.1.1.5_0, Quarantined, [2180], [625498],1.0.8932 PUP.Optional.PowerGamesNetWorkAds, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\iclllcgfogjnjkmjepkffmnbggobdidd, Quarantined, [2180], [625498],1.0.8932 PUP.Optional.PowerGamesNetWorkAds, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\iclllcgfogjnjkmjepkffmnbggobdidd, Quarantined, [2180], [625498],1.0.8932 PUP.Optional.PowerGamesNetWorkAds, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\iclllcgfogjnjkmjepkffmnbggobdidd, Quarantined, [2180], [625498],1.0.8932 File: 30 PUP.Optional.PowerGamesNetWorkAds, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\{89AC12B3-2DA6-423F-AFDD-A755925070D9}.XPI, Quarantined, [2180], [628539],1.0.8932 PUP.Optional.PowerGamesNetWorkAds, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iclllcgfogjnjkmjepkffmnbggobdidd\8.1.1.5_0\img\close.svg, Quarantined, [2180], [625498],1.0.8932 PUP.Optional.PowerGamesNetWorkAds, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iclllcgfogjnjkmjepkffmnbggobdidd\8.1.1.5_0\img\icon.png, Quarantined, [2180], [625498],1.0.8932 PUP.Optional.PowerGamesNetWorkAds, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iclllcgfogjnjkmjepkffmnbggobdidd\8.1.1.5_0\img\icon48.png, Quarantined, [2180], [625498],1.0.8932 PUP.Optional.PowerGamesNetWorkAds, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iclllcgfogjnjkmjepkffmnbggobdidd\8.1.1.5_0\img\info.svg, Quarantined, [2180], [625498],1.0.8932 PUP.Optional.PowerGamesNetWorkAds, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iclllcgfogjnjkmjepkffmnbggobdidd\8.1.1.5_0\_metadata\computed_hashes.json, Quarantined, [2180], [625498],1.0.8932 PUP.Optional.PowerGamesNetWorkAds, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iclllcgfogjnjkmjepkffmnbggobdidd\8.1.1.5_0\_metadata\verified_contents.json, Quarantined, [2180], [625498],1.0.8932 PUP.Optional.PowerGamesNetWorkAds, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iclllcgfogjnjkmjepkffmnbggobdidd\8.1.1.5_0\adentify.js, Quarantined, [2180], [625498],1.0.8932 PUP.Optional.PowerGamesNetWorkAds, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iclllcgfogjnjkmjepkffmnbggobdidd\8.1.1.5_0\background.html, Quarantined, [2180], [625498],1.0.8932 PUP.Optional.PowerGamesNetWorkAds, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iclllcgfogjnjkmjepkffmnbggobdidd\8.1.1.5_0\background.js, Quarantined, [2180], [625498],1.0.8932 PUP.Optional.PowerGamesNetWorkAds, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iclllcgfogjnjkmjepkffmnbggobdidd\8.1.1.5_0\content.js, Quarantined, [2180], [625498],1.0.8932 PUP.Optional.PowerGamesNetWorkAds, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iclllcgfogjnjkmjepkffmnbggobdidd\8.1.1.5_0\inimgContent.js, Quarantined, [2180], [625498],1.0.8932 PUP.Optional.PowerGamesNetWorkAds, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iclllcgfogjnjkmjepkffmnbggobdidd\8.1.1.5_0\install.js, Quarantined, [2180], [625498],1.0.8932 PUP.Optional.PowerGamesNetWorkAds, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iclllcgfogjnjkmjepkffmnbggobdidd\8.1.1.5_0\intextContent.js, Quarantined, [2180], [625498],1.0.8932 PUP.Optional.PowerGamesNetWorkAds, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iclllcgfogjnjkmjepkffmnbggobdidd\8.1.1.5_0\intextstyle.css, Quarantined, [2180], [625498],1.0.8932 PUP.Optional.PowerGamesNetWorkAds, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iclllcgfogjnjkmjepkffmnbggobdidd\8.1.1.5_0\manifest.json, Quarantined, [2180], [625498],1.0.8932 PUP.Optional.PowerGamesNetWorkAds, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iclllcgfogjnjkmjepkffmnbggobdidd\8.1.1.5_0\overlay_style.css, Quarantined, [2180], [625498],1.0.8932 PUP.Optional.PowerGamesNetWorkAds, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iclllcgfogjnjkmjepkffmnbggobdidd\8.1.1.5_0\vsframe.js, Quarantined, [2180], [625498],1.0.8932 PUP.Optional.PowerGamesNetWorkAds, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iclllcgfogjnjkmjepkffmnbggobdidd\000003.log, Quarantined, [2180], [625498],1.0.8932 PUP.Optional.PowerGamesNetWorkAds, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iclllcgfogjnjkmjepkffmnbggobdidd\CURRENT, Quarantined, [2180], [625498],1.0.8932 PUP.Optional.PowerGamesNetWorkAds, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iclllcgfogjnjkmjepkffmnbggobdidd\LOCK, Quarantined, [2180], [625498],1.0.8932 PUP.Optional.PowerGamesNetWorkAds, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iclllcgfogjnjkmjepkffmnbggobdidd\LOG, Quarantined, [2180], [625498],1.0.8932 PUP.Optional.PowerGamesNetWorkAds, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iclllcgfogjnjkmjepkffmnbggobdidd\MANIFEST-000001, Quarantined, [2180], [625498],1.0.8932 PUP.Optional.PowerGamesNetWorkAds, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iclllcgfogjnjkmjepkffmnbggobdidd\000003.log, Quarantined, [2180], [625498],1.0.8932 PUP.Optional.PowerGamesNetWorkAds, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iclllcgfogjnjkmjepkffmnbggobdidd\CURRENT, Quarantined, [2180], [625498],1.0.8932 PUP.Optional.PowerGamesNetWorkAds, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iclllcgfogjnjkmjepkffmnbggobdidd\LOCK, Quarantined, [2180], [625498],1.0.8932 PUP.Optional.PowerGamesNetWorkAds, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iclllcgfogjnjkmjepkffmnbggobdidd\LOG, Quarantined, [2180], [625498],1.0.8932 PUP.Optional.PowerGamesNetWorkAds, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\iclllcgfogjnjkmjepkffmnbggobdidd\MANIFEST-000001, Quarantined, [2180], [625498],1.0.8932 PUP.Optional.PowerGamesNetWorkAds, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [2180], [625498],1.0.8932 PUP.Optional.PowerGamesNetWorkAds, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [2180], [625498],1.0.8932 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  19. What is Power Clean Pro 2019?The Malwarebytes research team has determined that Power Clean Pro 2019 is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with Power Clean Pro 2019?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see this warning during install:and these screens during "operations":You may see this entry in your list of installed programs:and this task in your list of Scheduled Tasks:How did Power Clean Pro 2019 get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded after a fake online scan.How do I remove Power Clean Pro 2019?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Power Clean Pro 2019? No, Malwarebytes removes Power Clean Pro 2019 completely. This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the Power Clean Pro 2019 installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: () C:\Program Files\Power Clean-Pro-2019 for {computername}\rtc.exe C:\Windows\System32\Tasks\Power Clean-Pro-2019_Logon C:\Users\{username}\AppData\Roaming\Power Clean-Pro-2019 For {computername} C:\ProgramData\Power Clean-Pro-2019 for {computername} C:\Users\Public\Desktop\Power Clean-Pro-2019.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Power Clean-Pro-2019 for {computername} C:\Program Files\Power Clean-Pro-2019 for {computername} Power Clean-Pro-2019 (HKLM\...\{0B7B9E5F-A496-4B19-8B2E-F1DF78AB4251}_is1) (Version: 1.0.0.0 - ) Task: {C5DC28E7-A429-49D4-827F-575670193BC0} - System32\Tasks\Power Clean-Pro-2019_Logon => C:\Program Files\Power Clean-Pro-2019 for {computername}\rtc.exe [2019-01-18] () Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\Power Clean-Pro-2019 for {computername} Adds the file application.ico"="1/8/2019 1:56 PM, 56150 bytes, A Adds the file danish_iss.ini"="5/16/2018 12:25 PM, 2402 bytes, A Adds the file Dutch_iss.ini"="5/16/2018 12:25 PM, 2600 bytes, A Adds the file english_iss.ini"="5/16/2018 12:25 PM, 2256 bytes, A Adds the file finish_iss.ini"="5/16/2018 12:25 PM, 2368 bytes, A Adds the file French_iss.ini"="5/16/2018 12:25 PM, 2792 bytes, A Adds the file german_iss.ini"="5/16/2018 12:25 PM, 2658 bytes, A Adds the file gmtrs.dll"="1/18/2019 4:30 PM, 1969248 bytes, A Adds the file HtmlRenderer.dll"="1/18/2019 4:30 PM, 236640 bytes, A Adds the file HtmlRenderer.WinForms.dll"="1/18/2019 4:30 PM, 75360 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="1/18/2019 4:30 PM, 64096 bytes, A Adds the file Interop.SHDocVw.dll"="1/18/2019 4:30 PM, 178784 bytes, A Adds the file italian_iss.ini"="5/16/2018 12:25 PM, 2532 bytes, A Adds the file japanese_iss.ini"="5/16/2018 12:25 PM, 1844 bytes, A Adds the file langs.db"="11/10/2018 4:17 PM, 477184 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="1/18/2019 4:30 PM, 185952 bytes, A Adds the file NAudio.dll"="1/18/2019 4:30 PM, 485984 bytes, A Adds the file Newtonsoft.Json.dll"="1/18/2019 4:30 PM, 475744 bytes, A Adds the file norwegian_iss.ini"="5/16/2018 12:25 PM, 2358 bytes, A Adds the file PaddleCheckoutSDK.dll"="1/18/2019 4:30 PM, 73824 bytes, A Adds the file portuguese_iss.ini"="5/16/2018 12:25 PM, 2424 bytes, A Adds the file rtc.exe"="1/18/2019 4:30 PM, 2384480 bytes, A Adds the file rtc.exe.config"="1/18/2019 4:29 PM, 6457 bytes, A Adds the file russian_iss.ini"="5/16/2018 12:25 PM, 2494 bytes, A Adds the file spanish_iss.ini"="5/16/2018 12:25 PM, 2548 bytes, A Adds the file swedish_iss.ini"="5/16/2018 12:25 PM, 2270 bytes, A Adds the file System.Data.SQLite.DLL"="1/18/2019 4:30 PM, 305760 bytes, A Adds the file TAFactory.IconPack.dll"="1/18/2019 4:30 PM, 51808 bytes, A Adds the file unins000.dat"="1/22/2019 8:56 AM, 85957 bytes, A Adds the file unins000.exe"="1/22/2019 8:55 AM, 1243744 bytes, A Adds the file unins000.msg"="1/22/2019 8:56 AM, 22701 bytes, A Adds the folder C:\Program Files\Power Clean-Pro-2019 for {computername}\x64 Adds the file SQLite.Interop.dll"="1/18/2019 4:30 PM, 1190496 bytes, A Adds the folder C:\Program Files\Power Clean-Pro-2019 for {computername}\x86 Adds the file SQLite.Interop.dll"="1/18/2019 4:30 PM, 869472 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Power Clean-Pro-2019 for {computername} Adds the file Buy Power Clean-Pro-2019.lnk"="1/22/2019 8:56 AM, 1014 bytes, A Adds the file Power Clean-Pro-2019.lnk"="1/22/2019 8:56 AM, 1002 bytes, A Adds the file Uninstall Power Clean-Pro-2019.lnk"="1/22/2019 8:56 AM, 1033 bytes, A Adds the folder C:\ProgramData\Power Clean-Pro-2019 for {computername} Adds the file mdb.db"="10/26/2018 11:37 AM, 6643712 bytes, A Adds the file pcspstartrepair_en.mp3"="5/16/2018 12:25 PM, 130973 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Power Clean-Pro-2019 For {computername} Adds the file Errorlog.txt"="1/22/2019 8:57 AM, 25350 bytes, A Adds the file exlist.bin"="1/22/2019 8:57 AM, 258023 bytes, A Adds the file notifier.xml"="1/22/2019 8:57 AM, 15958 bytes, A Adds the file param.ini"="1/22/2019 8:56 AM, 3822 bytes, A Adds the file res.xml"="1/22/2019 8:57 AM, 11691 bytes, A Adds the file update.xml"="1/22/2019 8:57 AM, 42638 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Power Clean-Pro-2019 For {computername}\smico In the existing folder C:\Users\Public\Desktop Adds the file Power Clean-Pro-2019.lnk"="1/22/2019 8:56 AM, 984 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Power Clean-Pro-2019_Logon"="1/22/2019 8:57 AM, 3082 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0B7B9E5F-A496-4B19-8B2E-F1DF78AB4251}_is1] "DisplayIcon"="REG_SZ", "C:\Program Files\Power Clean-Pro-2019 for {computername}\rtc.exe" "DisplayName"="REG_SZ", "Power Clean-Pro-2019" "DisplayVersion"="REG_SZ", "1.0.0.0" "EstimatedSize"="REG_DWORD", 18658 "Inno Setup: App Path"="REG_SZ", "C:\Program Files\Power Clean-Pro-2019 for {computername}" "Inno Setup: Icon Group"="REG_SZ", "Power Clean-Pro-2019 for {computername}" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.5.8 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20190122" "InstallLocation"="REG_SZ", "C:\Program Files\Power Clean-Pro-2019 for {computername}\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "QuietUninstallString"="REG_SZ", ""C:\Program Files\Power Clean-Pro-2019 for {computername}\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files\Power Clean-Pro-2019 for {computername}\unins000.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\Power Clean-Pro-2019 For {computername}] "affired"="REG_DWORD", 1 "afterInstallUrl"="REG_SZ", "http://ins.trkinstl.com/install/pcpo/?" "apst"="REG_DWORD", 0 "btnid"="REG_SZ", "" "buybowinapp"="REG_SZ", "http://store.aaspeedsysutils.club/pcpo/plan?" "cbkpoff"="REG_DWORD", 1 "country"="REG_SZ", "nl" "cta"="REG_DWORD", 0 "delaytime"="REG_DWORD", 0 "dlllist"="REG_SZ", "PSMACHINE_64.DLL,MSSPELLCHECKINGFACILITY.DLL" "EmailURL"="REG_SZ", "" "expired"="REG_DWORD", 0 "hdata"="REG_BINARY, ......................................................................................................... "Installstring"="REG_SZ", "C:\Program Files\Power Clean-Pro-2019 for {computername}" "ipaddrurl"="REG_SZ", "http://www.trkinstl.com/getip/" "isavst"="REG_DWORD", 0 "isiunidu"="REG_DWORD", 0 "isprmjsn"="REG_DWORD", 0 "isshowng"="REG_DWORD", 1 "issilent"="REG_DWORD", 0 "ISTELNO"="REG_DWORD", 1 "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "lstregscancount"="REG_DWORD", 29 "lstscandate"="REG_SZ", "1/22/2019 8:57:51 AM" "lstscanstat"="REG_DWORD", 2 "lstsecscancount"="REG_DWORD", 0 "lsttotalscancount"="REG_DWORD", 29 "ovoffdis"="REG_DWORD", 0 "paramurl"="REG_SZ", "http://trkr.trkinstl.com/ipfiles/" "pdtm"="REG_DWORD", 45 "playsound"="REG_DWORD", 1 "plurl"="REG_SZ", "http://pp.trkinstl.com/ProductPrice.svc/" "prereg"="REG_DWORD", 0 "PurchaseURL"="REG_SZ", "http://store.aaspeedsysutils.club/pcpo/price?" "pxl"="REG_SZ", "WFX3591_WFX3519_RUNT" "referurl"="REG_SZ", "http%253a%252f%252fwww.microsoft.com-repair-windows.live/{fakescan url}" "reg"="REG_DWORD", 0 "RenewURL"="REG_SZ", "http://store.aaspeedsysutils.club/pcpo/renewal?" "runcam"="REG_DWORD", 1 "runpixel"="REG_DWORD", 1 "runsrc"="REG_DWORD", 1 "showtn"="REG_DWORD", 0 "showunins"="REG_DWORD", 0 "showwfo"="REG_DWORD", 0 "stdismax"="REG_DWORD", -1 "supporturl"="REG_SZ", "http://www.aaspeedsysutils.club/help/" "TELNO"="REG_SZ", "085 888 7056" "TELNO_ar"="REG_SZ", "+54 11 5236 0324" "TELNO_at"="REG_SZ", "+43 (0)720 902 309" "TELNO_au"="REG_SZ", "(61)280-733403" "TELNO_be"="REG_SZ", "+32-28085306" "TELNO_br"="REG_SZ", "+55 21 2391 4319" "TELNO_ch"="REG_SZ", "+41 (0)44 508 70 37" "TELNO_de"="REG_SZ", "0800 1822 974" "TELNO_dk"="REG_SZ", "+45 78 73 09 26" "TELNO_es"="REG_SZ", "+34 951 203 537" "TELNO_fi"="REG_SZ", "+358 (0)9 4270 4911" "TELNO_fr"="REG_SZ", "05 82 84 04 06" "TELNO_gb"="REG_SZ", "0800-031-5066" "TELNO_it"="REG_SZ", "+39 069 4802886" "TELNO_ja"="REG_SZ", "" "TELNO_lu"="REG_SZ", "0800 1822 974" "TELNO_nl"="REG_SZ", "085 888 7056" "TELNO_no"="REG_SZ", "+47 21 95 01 97" "TELNO_pt"="REG_SZ", "+351 70 750 2094" "TELNO_se"="REG_SZ", "+46-08124-10298" "TELNO_uk"="REG_SZ", "0800-031-5066" "TELNO_us"="REG_SZ", "(855)-332-0124" "utm_campaign"="REG_SZ", "wfxmrkt" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "1407888" "utm_source"="REG_SZ", "wfxmrkt" "WebURL"="REG_SZ", "http://www.aaspeedsysutils.club/" "wfoset"="REG_DWORD", 1 "x-at"="REG_SZ", "56f7076e-d0d8-4538-9d72-8ec80962b924" "x-ccode"="REG_SZ", "nl" "x-context"="REG_SZ", "d7KQAMA27B6QBOMJ12TOBJ06" "x-datetime"="REG_SZ", "01-22-2019 07:56:58 AM" "x-fetch"="REG_SZ", "1" "x-ip"="REG_SZ", "163_158_218_124" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\scd-pr] "affiliateid"="REG_SZ", "" "btnid"="REG_SZ", "" "country"="REG_SZ", "nl" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "pxl"="REG_SZ", "WFX3591_WFX3519_RUNT" "referUrl"="REG_SZ", "http%253a%252f%252fwww.microsoft.com-repair-windows.live%252f" "TELNO"="REG_SZ", "" "utm_campaign"="REG_SZ", "wfxmrkt" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "1407888" "utm_source"="REG_SZ", "wfxmrkt" "x-at"="REG_SZ", "56f7076e-d0d8-4538-9d72-8ec80962b924" "x-context"="REG_SZ", "d7KQAMA27B6QBOMJ12TOBJ06" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\UG93ZXIgQ2xlYW4tUHJvLTIwMTk=\ACT] "data"="REG_BINARY, ....................................................................................................................... [HKEY_CURRENT_USER\Software\Power Clean-Pro-2019 For {computername}] "affiliateid"="REG_SZ", "" "btnid"="REG_SZ", "" "InstallString"="REG_SZ", "C:\Program Files\Power Clean-Pro-2019 for {computername}" "LangCode"="REG_SZ", "en" "lpid"="REG_SZ", "" "pxl"="REG_SZ", "WFX3591_WFX3519_RUNT" "referurl"="REG_SZ", "http%253a%252f%252fwww.microsoft.com-repair-windows.live/{fakescan url}" "TELNO"="REG_SZ", "085 888 7056" "TELNO_nl"="REG_SZ", "085 888 7056" "utm_campaign"="REG_SZ", "wfxmrkt" "utm_medium"="REG_SZ", "" "utm_pubid"="REG_SZ", "1407888" "utm_source"="REG_SZ", "wfxmrkt" "x-at"="REG_SZ", "56f7076e-d0d8-4538-9d72-8ec80962b924" "x-context"="REG_SZ", "d7KQAMA27B6QBOMJ12TOBJ06" "x-datetime"="REG_SZ", "01-22-2019 07:56:58 AM" "x-fetch"="REG_SZ", "1" "x-ip"="REG_SZ", "163_158_218_124" "x-plt"="REG_SZ", "" "x-var1"="REG_SZ", "" "x-var2"="REG_SZ", "" "x-var3"="REG_SZ", "" [HKEY_CURRENT_USER\Software\Power Clean-Pro-2019 For {computername}\1.0.0.0] "Installstring"="REG_SZ", "C:\Program Files\Power Clean-Pro-2019 for {computername}" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/22/19 Scan Time: 9:05 AM Log File: 88c74fcc-1e1c-11e9-8ba1-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.8906 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235928 Threats Detected: 81 Threats Quarantined: 81 Time Elapsed: 3 min, 3 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\rtc.exe, Quarantined, [441], [627229],1.0.8906 Module: 7 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\x64\SQLite.Interop.dll, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\PaddleCheckoutSDK.dll, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\rtc.exe, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\System.Data.SQLite.DLL, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\TAFactory.IconPack.dll, Quarantined, [441], [627229],1.0.8906 Registry Key: 8 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Power Clean-Pro-2019_Logon, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{C5DC28E7-A429-49D4-827F-575670193BC0}, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{C5DC28E7-A429-49D4-827F-575670193BC0}, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{0B7B9E5F-A496-4B19-8B2E-F1DF78AB4251}_is1, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, HKCU\SOFTWARE\Power Clean-Pro-2019 For {computername}, Quarantined, [441], [627235],1.0.8906 PUP.Optional.Jawego, HKLM\SOFTWARE\UG93ZXIgQ2xlYW4tUHJvLTIwMTk=, Quarantined, [583], [535314],1.0.8906 PUP.Optional.PCVARK, HKLM\SOFTWARE\SCD-PR, Quarantined, [441], [540842],1.0.8906 PUP.Optional.PCVARK, HKLM\SOFTWARE\Power Clean-Pro-2019 For {computername}, Quarantined, [441], [627234],1.0.8906 Registry Value: 5 PUP.Optional.PCVARK, HKCU\SOFTWARE\Power Clean-Pro-2019 For {computername}|TELNO_NL, Quarantined, [441], [627235],1.0.8906 PUP.Optional.PCVARK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{C5DC28E7-A429-49D4-827F-575670193BC0}|PATH, Quarantined, [441], [627226],1.0.8906 PUP.Optional.PCVARK, HKLM\SOFTWARE\SCD-PR|AFFILIATEID, Quarantined, [441], [540842],1.0.8906 PUP.Optional.MasterPCCleaner, HKLM\SOFTWARE\SCD-PR|PXL, Quarantined, [1186], [484510],1.0.8906 PUP.Optional.PCVARK, HKLM\SOFTWARE\Power Clean-Pro-2019 For {computername}|AFFIRED, Quarantined, [441], [627234],1.0.8906 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 8 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\x64, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\x86, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\PROGRAM FILES\Power Clean-Pro-2019 for {computername}, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\Power Clean-Pro-2019 for {computername}, Quarantined, [441], [627233],1.0.8906 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Power Clean-Pro-2019 For {computername}\smico, Quarantined, [441], [627231],1.0.8906 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\Power Clean-Pro-2019 For {computername}, Quarantined, [441], [627231],1.0.8906 PUP.Optional.PCVARK, C:\ProgramData\Power Clean-Pro-2019 for {computername}\offers, Quarantined, [441], [627236],1.0.8906 PUP.Optional.PCVARK, C:\PROGRAMDATA\Power Clean-Pro-2019 for {computername}, Quarantined, [441], [627236],1.0.8906 File: 52 PUP.Optional.PCVARK, C:\PROGRAM FILES\Power Clean-Pro-2019 for {computername}\unins000.dat, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\x64\SQLite.Interop.dll, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\x86\SQLite.Interop.dll, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\Microsoft.Win32.TaskScheduler.dll, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\application.ico, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\danish_iss.ini, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\Dutch_iss.ini, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\english_iss.ini, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\finish_iss.ini, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\French_iss.ini, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\german_iss.ini, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\gmtrs.dll, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\HtmlRenderer.dll, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\HtmlRenderer.WinForms.dll, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\Interop.IWshRuntimeLibrary.dll, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\Interop.SHDocVw.dll, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\italian_iss.ini, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\japanese_iss.ini, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\langs.db, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\NAudio.dll, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\Newtonsoft.Json.dll, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\norwegian_iss.ini, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\PaddleCheckoutSDK.dll, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\portuguese_iss.ini, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\rtc.exe, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\rtc.exe.config, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\russian_iss.ini, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\spanish_iss.ini, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\swedish_iss.ini, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\System.Data.SQLite.DLL, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\TAFactory.IconPack.dll, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\unins000.exe, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\Program Files\Power Clean-Pro-2019 for {computername}\unins000.msg, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\WINDOWS\SYSTEM32\TASKS\Power Clean-Pro-2019_Logon, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\Power Clean-Pro-2019.lnk, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\USERS\PUBLIC\DESKTOP\Power Clean-Pro-2019.lnk, Quarantined, [441], [627229],1.0.8906 PUP.Optional.PCVARK, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\Power Clean-Pro-2019 for {computername}\Buy Power Clean-Pro-2019.lnk, Quarantined, [441], [627233],1.0.8906 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Power Clean-Pro-2019 for {computername}\Power Clean-Pro-2019.lnk, Quarantined, [441], [627233],1.0.8906 PUP.Optional.PCVARK, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Power Clean-Pro-2019 for {computername}\Uninstall Power Clean-Pro-2019.lnk, Quarantined, [441], [627233],1.0.8906 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\ROAMING\Power Clean-Pro-2019 For {computername}\Errorlog.txt, Quarantined, [441], [627231],1.0.8906 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Power Clean-Pro-2019 For {computername}\a_p_t_2.xml, Quarantined, [441], [627231],1.0.8906 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Power Clean-Pro-2019 For {computername}\exlist.bin, Quarantined, [441], [627231],1.0.8906 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Power Clean-Pro-2019 For {computername}\notifier.xml, Quarantined, [441], [627231],1.0.8906 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Power Clean-Pro-2019 For {computername}\param.ini, Quarantined, [441], [627231],1.0.8906 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Power Clean-Pro-2019 For {computername}\res.xml, Quarantined, [441], [627231],1.0.8906 PUP.Optional.PCVARK, C:\Users\{username}\AppData\Roaming\Power Clean-Pro-2019 For {computername}\update.xml, Quarantined, [441], [627231],1.0.8906 PUP.Optional.PCVARK, C:\PROGRAMDATA\Power Clean-Pro-2019 for {computername}\mdb.db, Quarantined, [441], [627236],1.0.8906 PUP.Optional.PCVARK, C:\ProgramData\Power Clean-Pro-2019 for {computername}\offers\a_p_t.exe, Quarantined, [441], [627236],1.0.8906 PUP.Optional.PCVARK, C:\ProgramData\Power Clean-Pro-2019 for {computername}\pcspstartrepair_en.mp3, Quarantined, [441], [627236],1.0.8906 PUP.Optional.PCVARK, C:\PROGRAMDATA\POWER CLEAN-PRO-2019 FOR {computername}\OFFERS\A_P_T.EXE, Quarantined, [441], [583068],1.0.8906 PUP.Optional.PCVARK, C:\USERS\{username}\DESKTOP\POWERCLEANPRO.EXE, Quarantined, [441], [624593],1.0.8906 PUP.Optional.PCVARK, C:\USERS\{username}\APPDATA\LOCAL\TEMP\_IU14D2N.TMP, Quarantined, [441], [583068],1.0.8906 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  20. What is CPU Guardian?The Malwarebytes research team has determined that CPU Guardian is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with CPU Guardian?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see these warnings during install:and these screens during "operations":You may see this entry in your list of installed programs:and this task in your list of Scheduled Tasks:How did CPU Guardian get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was promoted on a download site.How do I remove CPU Guardian?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of CPU Guardian? No, Malwarebytes removes CPU Guardian completely. This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the CPU Guardian installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their downloadsite: Technical details for expertsYou may see these entries in FRST logs: (CPU Guardian) C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe C:\Windows\System32\Tasks\CPUGuardian_Start C:\Users\{username}\AppData\Local\CPU_Guardian C:\Users\{username}\Documents\CPUGuardian C:\Users\{username}\Desktop\CPU Guardian.lnk C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CPU Guardian C:\Program Files (x86)\CPU Guardian CPU Guardian (HKLM-x32\...\CPU Guardian) (Version: 3.1.4 - CPU Guardian) Task: {05CB6457-23B6-4AE2-AB00-00F3CC511311} - System32\Tasks\CPUGuardian_Start => C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe [2017-01-26] (CPU Guardian) <==== ATTENTION Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\CPU Guardian Adds the file Ca100.exe"="1/26/2017 2:02 PM, 297344 bytes, A Adds the file Ca100.exe.config"="8/16/2016 3:07 PM, 221 bytes, A Adds the file ComponentFactory.Krypton.Toolkit.dll"="4/8/2012 7:43 PM, 2667520 bytes, A Adds the file CPUGuardian.exe"="1/26/2017 2:02 PM, 3437448 bytes, A Adds the file CPUGuardian.exe.config"="1/24/2017 10:57 AM, 5719 bytes, A Adds the file InstAct.exe"="1/26/2017 2:02 PM, 35712 bytes, A Adds the file InstAct.exe.config"="6/11/2015 2:38 PM, 230 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="1/26/2017 1:13 PM, 49152 bytes, A Adds the file Interop.Shell32.dll"="1/26/2017 1:13 PM, 49152 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="11/19/2015 2:16 PM, 322560 bytes, A Adds the file Push.exe"="1/26/2017 2:02 PM, 25472 bytes, A Adds the file Push.exe.config"="12/12/2016 7:24 AM, 224 bytes, A Adds the file Setup.dll"="1/26/2017 1:13 PM, 87552 bytes, A Adds the file Setup.dll.config"="6/11/2015 2:38 PM, 227 bytes, A Adds the file Splash.exe"="1/26/2017 2:02 PM, 274816 bytes, A Adds the file Splash.exe.config"="6/11/2015 2:38 PM, 230 bytes, A Adds the file uninstall.exe"="1/26/2017 2:02 PM, 199288 bytes, A Adds the file updater.exe"="1/26/2017 2:02 PM, 507272 bytes, A Adds the file updater.ini"="1/21/2019 8:52 AM, 367 bytes, A Adds the folder C:\Program Files (x86)\CPU Guardian\de Adds the file Ca100.resources.dll"="1/26/2017 1:13 PM, 7680 bytes, A Adds the file CPUGuardian.resources.dll"="1/26/2017 1:13 PM, 66560 bytes, A Adds the file Splash.resources.dll"="1/26/2017 1:13 PM, 5632 bytes, A Adds the folder C:\Users\{username}\AppData\Local\CPU_Guardian\CPUGuardian.exe_Url_iwid41inmr3ot3ooc1a1q3rf4b4cgitj\3.1.4.0 Adds the file user.config"="1/21/2019 8:54 AM, 712 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CPU Guardian Adds the file CPU Guardian.lnk"="1/21/2019 8:52 AM, 1086 bytes, A Adds the file Uninstall CPU Guardian.lnk"="1/21/2019 8:52 AM, 858 bytes, A In the existing folder C:\Users\{username}\Desktop Adds the file CPU Guardian.lnk"="1/21/2019 8:52 AM, 1050 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file CPUGuardian_Start"="1/21/2019 8:53 AM, 3216 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CPU Guardian] " "="REG_SZ"", "C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\CPU Guardian\CPU Guardian] "Path"="REG_SZ"", "C:\Program Files (x86)\CPU Guardian" "Version"="REG_SZ"", "3.1.4" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CPU Guardian] "DisplayIcon"="REG_SZ"", "C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe" "DisplayName"="REG_SZ"", "CPU Guardian" "DisplayVersion"="REG_SZ"", "3.1.4" "EstimatedSize"="REG_DWORD"", 9314 "NoModify"="REG_DWORD"", 1 "NoRepair"="REG_DWORD"", 1 "Publisher"="REG_SZ"", "CPU Guardian" "QuietUninstallString"="REG_SZ"", "C:\Program Files (x86)\CPU Guardian\uninstall.exe /S" "UninstallString"="REG_SZ"", "C:\Program Files (x86)\CPU Guardian\uninstall.exe" [HKEY_CURRENT_USER\Software\CPU Guardian\CPU Guardian] "Custom1"="REG_DWORD"", 0 "Custom2"="REG_DWORD"", 0 "ResName"="REG_SZ"", "Regular" [HKEY_CURRENT_USER\Software\CPUGuardianLanguage] "lang"="REG_SZ"", "en" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/21/19 Scan Time: 9:01 AM Log File: b59ae498-1d52-11e9-bdbc-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.8886 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235769 Threats Detected: 118 Threats Quarantined: 118 Time Elapsed: 2 min, 57 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe, Quarantined, [2873], [626135],1.0.8886 Module: 1 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe, Quarantined, [2873], [626135],1.0.8886 Registry Key: 4 PUP.Optional.CPUGuardian, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\CPUGuardian_Start, Quarantined, [2873], [626139],1.0.8886 PUP.Optional.CPUGuardian, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{05CB6457-23B6-4AE2-AB00-00F3CC511311}, Quarantined, [2873], [626139],1.0.8886 PUP.Optional.CPUGuardian, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{05CB6457-23B6-4AE2-AB00-00F3CC511311}, Quarantined, [2873], [626139],1.0.8886 PUP.Optional.CPUGuardian, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CPU Guardian, Quarantined, [2873], [626135],1.0.8886 Registry Value: 1 PUP.Optional.CPUGuardian, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{05CB6457-23B6-4AE2-AB00-00F3CC511311}|PATH, Quarantined, [2873], [626137],1.0.8886 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 23 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\bs-Cyrl-BA, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\bs-Latn-BA, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\sr-Cyrl-RS, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\sr-Latn-RS, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\fil-PH, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\hr-HR, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\se-FI, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\th-TH, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\tr-TR, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\ar, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\da, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\de, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\es, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\fr, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\he, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\it, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\ja, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\nl, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\no, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\pt, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\ru, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\sv, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\PROGRAM FILES (X86)\CPU GUARDIAN, Quarantined, [2873], [626135],1.0.8886 File: 88 PUP.Optional.CPUGuardian, C:\WINDOWS\SYSTEM32\TASKS\CPUGuardian_Start, Quarantined, [2873], [626139],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\ar\Ca100.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\ar\CPUGuardian.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\ar\Splash.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\bs-Cyrl-BA\Ca100.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\bs-Cyrl-BA\CPUGuardian.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\bs-Cyrl-BA\Splash.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\bs-Latn-BA\Ca100.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\bs-Latn-BA\CPUGuardian.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\bs-Latn-BA\Splash.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\da\Ca100.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\da\CPUGuardian.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\da\Splash.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\de\Ca100.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\de\CPUGuardian.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\de\Splash.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\es\Ca100.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\es\CPUGuardian.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\es\Splash.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\fil-PH\Ca100.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\fil-PH\CPUGuardian.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\fil-PH\Splash.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\fr\Ca100.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\fr\CPUGuardian.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\fr\Splash.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\he\Ca100.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\he\CPUGuardian.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\he\Splash.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\hr-HR\Ca100.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\hr-HR\CPUGuardian.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\hr-HR\Splash.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\it\Ca100.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\it\CPUGuardian.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\it\Splash.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\ja\Ca100.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\ja\CPUGuardian.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\ja\Splash.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\nl\Ca100.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\nl\CPUGuardian.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\nl\Splash.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\no\Ca100.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\no\CPUGuardian.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\no\Splash.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\pt\Ca100.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\pt\CPUGuardian.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\pt\Splash.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\ru\Ca100.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\ru\CPUGuardian.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\ru\Splash.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\se-FI\Ca100.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\se-FI\CPUGuardian.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\se-FI\Splash.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\sr-Cyrl-RS\Ca100.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\sr-Cyrl-RS\CPUGuardian.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\sr-Cyrl-RS\Splash.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\sr-Latn-RS\Ca100.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\sr-Latn-RS\CPUGuardian.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\sr-Latn-RS\Splash.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\sv\Ca100.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\sv\CPUGuardian.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\sv\Splash.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\th-TH\Ca100.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\th-TH\CPUGuardian.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\th-TH\Splash.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\tr-TR\Ca100.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\tr-TR\CPUGuardian.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\tr-TR\Splash.resources.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\InstAct.exe.config, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\Ca100.exe, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\Ca100.exe.config, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\ComponentFactory.Krypton.Toolkit.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe.config, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\InstAct.exe, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\Interop.IWshRuntimeLibrary.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\Interop.Shell32.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\Microsoft.Win32.TaskScheduler.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\Push.exe, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\Push.exe.config, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\Setup.dll, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\Setup.dll.config, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\Splash.exe, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\Splash.exe.config, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\uninstall.exe, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\updater.exe, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\Program Files (x86)\CPU Guardian\updater.ini, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\USERS\{username}\DESKTOP\CPU Guardian.lnk, Quarantined, [2873], [626135],1.0.8886 PUP.Optional.CPUGuardian, C:\USERS\{username}\DESKTOP\CPUGUARDIANSETUP.EXE, Quarantined, [2873], [414102],1.0.8886 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  21. What is Controller?The Malwarebytes research team has determined that Controller is a forced Firefox extension. The extensions that belong to this family are capable of downloading code after the installation to perform several functions: search hijackers crypto-currency miners adware How do I know if my computer is affected by Controller?You may see these warnings during install:After install you may see this entry in your list of installed Firefox extensions:How did Controller get on my computer?Forced extensions use typical methods for distributing themselves.They try to keep users trapped until they agree to install the extension.How do I remove Controller?Our program Malwarebytes can detect and remove this unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Controller? No, Malwarebytes removes Controller completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this forced extension.We protect our customers from these extensions by blocking the sites that spread them and the domains they contact for additional code:Technical details for expertsPossible signs in FRST logs: FF Extension: (Controller) - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\sabqo@yolla.net.xpi [2019-01-16] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file sabqo@yolla.net.xpi"="1/16/2019 4:32 PM, 31824 bytes, A Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/16/19 Scan Time: 7:43 PM Log File: 8cfda468-19be-11e9-98d1-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.8820 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235839 Threats Detected: 1 Threats Quarantined: 1 Time Elapsed: 4 min, 31 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 PUP.Optional.ForcedInstalledExtensionFF, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\SABQO@YOLLA.NET.XPI, Quarantined, [1714], [625208],1.0.8820 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  22. What is DriverFix?The Malwarebytes research team has determined that DriverFix is a "driver updater". These so-called "system optimizers" often use intentional false positives or exaggerated results to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.More information can be found on our Malwarebytes Labs blog.How do I know if I am infected with DriverFix?This is how the main screen of the system optimizer looks:You will find these icons in your taskbar, your startmenu, and on your desktop:and see this warning during install:and this screen when you click "Update All":You may see this entry in your list of installed programs:How did DriverFix get on my computer?These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:How do I remove DriverFix?Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of DriverFix? No, Malwarebytes removes DriverFix completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this system optimizer.As you can see below the full version of Malwarebytes would have protected you against the DriverFix installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block access to their domain: Technical details for expertsYou may see these entries in FRST logs: () C:\ProgramData\DriverFix\DriverFix.exe HKCU\...\Run: [DriverFix] => C:\ProgramData\DriverFix\DriverFix.exe [20490056 2019-01-17] () C:\Users\Public\Desktop\DriverFix.lnk C:\Users\{username}\AppData\Roaming\DriverFix C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverFix C:\ProgramData\DriverFix DriverFix 4.2018.12.18 (HKLM\...\DriverFix_is1) (Version: - DriverFix, Inc) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\ProgramData\DriverFix Adds the file dpinst_x64.exe"="1/17/2019 9:00 AM, 1053512 bytes, A Adds the file dpinst_x86.exe"="1/17/2019 9:00 AM, 928072 bytes, A Adds the file DriverFix.exe"="1/17/2019 9:00 AM, 20490056 bytes, A Adds the file DriverFix.url"="1/17/2019 9:00 AM, 50 bytes, A Adds the file dwc.dll"="1/17/2019 9:00 AM, 911176 bytes, A Adds the file libeay32.dll"="1/17/2019 9:00 AM, 1190728 bytes, A Adds the file libssl32.dll"="1/17/2019 9:00 AM, 246088 bytes, A Adds the file main.ico"="11/5/2018 4:39 PM, 155469 bytes, A Adds the file resources.dll"="1/17/2019 9:00 AM, 1646920 bytes, A Adds the file unins000.exe"="12/18/2018 3:39 PM, 251432 bytes, A Adds the file uninstall.ico"="11/5/2018 4:39 PM, 154553 bytes, A Adds the file website.ico"="11/5/2018 4:39 PM, 156522 bytes, A Adds the folder C:\ProgramData\DriverFix\Resources\Fonts Adds the file Lato-Black.ttf"="1/17/2019 9:00 AM, 114588 bytes, A Adds the file Lato-BlackItalic.ttf"="1/17/2019 9:00 AM, 111616 bytes, A Adds the file Lato-Bold.ttf"="1/17/2019 9:00 AM, 121788 bytes, A Adds the file Lato-BoldItalic.ttf"="1/17/2019 9:00 AM, 120312 bytes, A Adds the file Lato-Hairline.ttf"="1/17/2019 9:00 AM, 115316 bytes, A Adds the file Lato-HairlineItalic.ttf"="1/17/2019 9:00 AM, 91460 bytes, A Adds the file Lato-Italic.ttf"="1/17/2019 9:00 AM, 118352 bytes, A Adds the file Lato-Light.ttf"="1/17/2019 9:00 AM, 122524 bytes, A Adds the file Lato-LightItalic.ttf"="1/17/2019 9:00 AM, 91600 bytes, A Adds the file Lato-Regular.ttf"="1/17/2019 9:00 AM, 120196 bytes, A Adds the file OFL.txt"="1/17/2019 9:00 AM, 4407 bytes, A Adds the folder C:\ProgramData\DriverFix\Resources\Languages Adds the file cz.lng"="1/17/2019 9:00 AM, 33902 bytes, A Adds the file da.lng"="1/17/2019 9:00 AM, 33412 bytes, A Adds the file de.lng"="1/17/2019 9:00 AM, 37058 bytes, A Adds the file du.lng"="1/17/2019 9:00 AM, 34780 bytes, A Adds the file es.lng"="1/17/2019 9:00 AM, 37006 bytes, A Adds the file fi.lng"="1/17/2019 9:00 AM, 33744 bytes, A Adds the file fr.lng"="1/17/2019 9:00 AM, 37580 bytes, A Adds the file gr.lng"="1/17/2019 9:00 AM, 37244 bytes, A Adds the file it.lng"="1/17/2019 9:00 AM, 33550 bytes, A Adds the file jp.lng"="1/17/2019 9:00 AM, 26592 bytes, A Adds the file kr.lng"="1/17/2019 9:00 AM, 25858 bytes, A Adds the file no.lng"="1/17/2019 9:00 AM, 33524 bytes, A Adds the file pl.lng"="1/17/2019 9:00 AM, 34202 bytes, A Adds the file pt.lng"="1/17/2019 9:00 AM, 36416 bytes, A Adds the file ru.lng"="1/17/2019 9:00 AM, 34168 bytes, A Adds the file se.lng"="1/17/2019 9:00 AM, 33878 bytes, A Adds the file tr.lng"="1/17/2019 9:00 AM, 34038 bytes, A Adds the folder C:\ProgramData\DriverFix\Resources\Skins Adds the file StyleDark.style"="1/17/2019 9:00 AM, 409405 bytes, A Adds the file StyleWhite.style"="1/17/2019 9:00 AM, 415460 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverFix Adds the file DriverFix Homepage.lnk"="1/17/2019 9:00 AM, 1620 bytes, A Adds the file DriverFix.lnk"="1/17/2019 9:00 AM, 1614 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\DriverFix Adds the file DriverFix.history"="1/17/2019 9:00 AM, 93 bytes, A Adds the file DriverFix.settings"="1/17/2019 9:00 AM, 346 bytes, A Adds the file scandata.bin"="1/17/2019 9:00 AM, 13162 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file DriverFix.lnk"="1/17/2019 9:00 AM, 1726 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DriverFix_is1] "DisplayIcon"="REG_SZ", "C:\ProgramData\DriverFix\uninstall.ico" "DisplayName"="REG_SZ", "DriverFix 4.2018.12.18" "HelpLink"="REG_SZ", "http://www.driverfix.com/#contact" "InstallDate"="REG_SZ", "20190117" "InstallLocation"="REG_SZ", "C:\ProgramData\DriverFix" "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "DriverFix, Inc" "QuietUninstallString"="REG_SZ", ""C:\ProgramData\DriverFix\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\ProgramData\DriverFix\unins000.exe"" "URLInfoAbout"="REG_SZ", "http://www.driverfix.com" [HKEY_CURRENT_USER\Software\DriverFix] "CampaignStart"="REG_BINARY, .... "DownloadID"="REG_SZ", "59842579666" "IfReminders"="REG_DWORD", 1 "InLang"="REG_SZ", "en" "InstallDate"="REG_BINARY, .... "SetupRunID"="REG_SZ", "" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "DriverFix"="REG_SZ", "C:\ProgramData\DriverFix\DriverFix.exe -auto" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/17/19 Scan Time: 9:07 AM Log File: f6335eb2-1a2e-11e9-92f6-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.8828 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235825 Threats Detected: 65 Threats Quarantined: 65 Time Elapsed: 3 min, 25 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\DriverFix.exe, Quarantined, [3892], [613999],1.0.8828 Module: 3 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\DriverFix.exe, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\dwc.dll, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\resources.dll, Quarantined, [3892], [613999],1.0.8828 Registry Key: 1 PUP.Optional.DriverFix, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DriverFix_is1, Quarantined, [3892], [613999],1.0.8828 Registry Value: 2 PUP.Optional.DriverFix, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|DriverFix, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DRIVERFIX_IS1|URLINFOABOUT, Quarantined, [3892], [614004],1.0.8828 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 PUP.Optional.DriverFix, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DRIVERFIX, Quarantined, [3892], [614000],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\Resources\Languages, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\Resources\Fonts, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\Resources\Skins, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\Resources, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\PROGRAMDATA\DRIVERFIX, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\USERS\{username}\APPDATA\ROAMING\DRIVERFIX, Quarantined, [3892], [614002],1.0.8828 File: 51 PUP.Optional.DriverFix, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\DRIVERFIX\DRIVERFIX HOMEPAGE.LNK, Quarantined, [3892], [614000],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverFix\DriverFix.lnk, Quarantined, [3892], [614000],1.0.8828 PUP.Optional.DriverFix, C:\USERS\PUBLIC\DESKTOP\DRIVERFIX.LNK, Quarantined, [3892], [614003],1.0.8828 PUP.Optional.DriverFix, C:\PROGRAMDATA\DRIVERFIX\DRIVERFIX.URL, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\Resources\Fonts\Lato-Black.ttf, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\Resources\Fonts\Lato-BlackItalic.ttf, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\Resources\Fonts\Lato-Bold.ttf, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\Resources\Fonts\Lato-BoldItalic.ttf, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\Resources\Fonts\Lato-Hairline.ttf, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\Resources\Fonts\Lato-HairlineItalic.ttf, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\Resources\Fonts\Lato-Italic.ttf, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\Resources\Fonts\Lato-Light.ttf, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\Resources\Fonts\Lato-LightItalic.ttf, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\Resources\Fonts\Lato-Regular.ttf, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\Resources\Fonts\OFL.txt, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\Resources\Languages\cz.lng, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\Resources\Languages\da.lng, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\Resources\Languages\de.lng, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\Resources\Languages\du.lng, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\Resources\Languages\es.lng, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\Resources\Languages\fi.lng, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\Resources\Languages\fr.lng, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\Resources\Languages\gr.lng, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\Resources\Languages\it.lng, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\Resources\Languages\jp.lng, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\Resources\Languages\kr.lng, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\Resources\Languages\no.lng, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\Resources\Languages\pl.lng, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\Resources\Languages\pt.lng, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\Resources\Languages\ru.lng, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\Resources\Languages\se.lng, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\Resources\Languages\tr.lng, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\Resources\Skins\StyleDark.style, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\Resources\Skins\StyleWhite.style, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\dpinst_x64.exe, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\dpinst_x86.exe, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\DriverFix.exe, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\dwc.dll, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\libeay32.dll, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\libssl32.dll, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\main.ico, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\resources.dll, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\unins000.exe, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\uninstall.ico, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\ProgramData\DriverFix\website.ico, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\DriverFix.lnk, Quarantined, [3892], [613999],1.0.8828 PUP.Optional.DriverFix, C:\USERS\{username}\APPDATA\ROAMING\DRIVERFIX\DRIVERFIX.SETTINGS, Quarantined, [3892], [614002],1.0.8828 PUP.Optional.DriverFix, C:\Users\{username}\AppData\Roaming\DriverFix\chdevlst.bin, Quarantined, [3892], [614002],1.0.8828 PUP.Optional.DriverFix, C:\Users\{username}\AppData\Roaming\DriverFix\DriverFix.history, Quarantined, [3892], [614002],1.0.8828 PUP.Optional.DriverFix, C:\Users\{username}\AppData\Roaming\DriverFix\scandata.bin, Quarantined, [3892], [614002],1.0.8828 PUP.Optional.DriverFix, C:\USERS\{username}\DESKTOP\DRIVERFIXWEBDL-5984257966.EXE, Quarantined, [3892], [613996],1.0.8828 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  23. What is Stream-All?The Malwarebytes research team has determined that Stream-All is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Stream-All?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and this changed setting:How did Stream-All get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove Stream-All?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Stream-All? No, Malwarebytes removes Stream-All completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Stream-All hijacker. It would have blocked their website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxps://feed.stream-all.com/?q={searchTerms}&publisher=streamall&barcodeid=524170000000000 CHR DefaultSearchKeyword: Default -> StreamAll CHR DefaultSuggestURL: Default -> hxxps://suggest.stream-all.com/suggest/get?q={searchTerms} CHR Extension: (StreamAll) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfkkfgfmlliomakfjlijbpjniajpgboa [2019-01-16] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfkkfgfmlliomakfjlijbpjniajpgboa\1.0.7_0 Adds the file closer.js"="8/7/2018 11:31 AM, 15 bytes, A Adds the file manifest.json"="1/16/2019 10:41 AM, 2351 bytes, A Adds the file popup.html"="8/7/2018 11:31 AM, 1675 bytes, A Adds the file tab.html"="8/7/2018 11:31 AM, 165 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfkkfgfmlliomakfjlijbpjniajpgboa\1.0.7_0\_metadata Adds the file computed_hashes.json"="1/16/2019 10:41 AM, 2561 bytes, A Adds the file verified_contents.json"="8/19/2018 1:15 PM, 2947 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfkkfgfmlliomakfjlijbpjniajpgboa\1.0.7_0\images Adds the file how-1.png"="8/7/2018 11:31 AM, 1584 bytes, A Adds the file how-2.png"="8/7/2018 11:31 AM, 1867 bytes, A Adds the file logo-small.png"="8/7/2018 11:31 AM, 1771 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfkkfgfmlliomakfjlijbpjniajpgboa\1.0.7_0\images\icons Adds the file 128x128.png"="1/16/2019 10:41 AM, 6405 bytes, A Adds the file 16x16.png"="1/16/2019 10:41 AM, 792 bytes, A Adds the file 64x64.png"="1/16/2019 10:41 AM, 4018 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfkkfgfmlliomakfjlijbpjniajpgboa\1.0.7_0\scripts Adds the file background.js"="8/19/2018 1:18 PM, 30289 bytes, A Adds the file jquery-3.3.1.min.js"="8/7/2018 11:31 AM, 86927 bytes, A Adds the file popup.js"="8/7/2018 11:31 AM, 113 bytes, A Adds the file sitecontent.js"="8/7/2018 11:31 AM, 77 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfkkfgfmlliomakfjlijbpjniajpgboa\1.0.7_0\styles Adds the file popup.css"="8/7/2018 11:31 AM, 1162 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kfkkfgfmlliomakfjlijbpjniajpgboa Adds the file StreamAll.ico"="1/16/2019 10:41 AM, 185062 bytes, A Adds the file StreamAll.ico.md5"="1/16/2019 10:41 AM, 16 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "kfkkfgfmlliomakfjlijbpjniajpgboa"="REG_SZ", "F8CCD871F29CF7874F0AC0EDF58DFA8D7A08E7B9C5F37FAA21E97F56D949CADF" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/16/19 Scan Time: 10:49 AM Log File: fec40e48-1973-11e9-8532-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.8812 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235803 Threats Detected: 31 Threats Quarantined: 31 Time Elapsed: 2 min, 58 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.StreamAll, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|kfkkfgfmlliomakfjlijbpjniajpgboa, Quarantined, [14554], [599053],1.0.8812 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 PUP.Optional.StreamAll, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Extensions\kfkkfgfmlliomakfjlijbpjniajpgboa, Quarantined, [14554], [599053],1.0.8812 PUP.Optional.StreamAll, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfkkfgfmlliomakfjlijbpjniajpgboa\1.0.7_0\images\icons, Quarantined, [14554], [599053],1.0.8812 PUP.Optional.StreamAll, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfkkfgfmlliomakfjlijbpjniajpgboa\1.0.7_0\_metadata, Quarantined, [14554], [599053],1.0.8812 PUP.Optional.StreamAll, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfkkfgfmlliomakfjlijbpjniajpgboa\1.0.7_0\scripts, Quarantined, [14554], [599053],1.0.8812 PUP.Optional.StreamAll, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfkkfgfmlliomakfjlijbpjniajpgboa\1.0.7_0\images, Quarantined, [14554], [599053],1.0.8812 PUP.Optional.StreamAll, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfkkfgfmlliomakfjlijbpjniajpgboa\1.0.7_0\styles, Quarantined, [14554], [599053],1.0.8812 PUP.Optional.StreamAll, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KFKKFGFMLLIOMAKFJLIJBPJNIAJPGBOA\1.0.7_0, Quarantined, [14554], [599053],1.0.8812 File: 21 PUP.Optional.StreamAll, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [14554], [599053],1.0.8812 PUP.Optional.StreamAll, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [14554], [599053],1.0.8812 PUP.Optional.StreamAll, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KFKKFGFMLLIOMAKFJLIJBPJNIAJPGBOA\1.0.7_0\MANIFEST.JSON, Quarantined, [14554], [599053],1.0.8812 PUP.Optional.StreamAll, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfkkfgfmlliomakfjlijbpjniajpgboa\1.0.7_0\images\icons\128x128.png, Quarantined, [14554], [599053],1.0.8812 PUP.Optional.StreamAll, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfkkfgfmlliomakfjlijbpjniajpgboa\1.0.7_0\images\icons\16x16.png, Quarantined, [14554], [599053],1.0.8812 PUP.Optional.StreamAll, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfkkfgfmlliomakfjlijbpjniajpgboa\1.0.7_0\images\icons\64x64.png, Quarantined, [14554], [599053],1.0.8812 PUP.Optional.StreamAll, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfkkfgfmlliomakfjlijbpjniajpgboa\1.0.7_0\images\how-1.png, Quarantined, [14554], [599053],1.0.8812 PUP.Optional.StreamAll, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfkkfgfmlliomakfjlijbpjniajpgboa\1.0.7_0\images\how-2.png, Quarantined, [14554], [599053],1.0.8812 PUP.Optional.StreamAll, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfkkfgfmlliomakfjlijbpjniajpgboa\1.0.7_0\images\logo-small.png, Quarantined, [14554], [599053],1.0.8812 PUP.Optional.StreamAll, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfkkfgfmlliomakfjlijbpjniajpgboa\1.0.7_0\scripts\background.js, Quarantined, [14554], [599053],1.0.8812 PUP.Optional.StreamAll, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfkkfgfmlliomakfjlijbpjniajpgboa\1.0.7_0\scripts\jquery-3.3.1.min.js, Quarantined, [14554], [599053],1.0.8812 PUP.Optional.StreamAll, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfkkfgfmlliomakfjlijbpjniajpgboa\1.0.7_0\scripts\popup.js, Quarantined, [14554], [599053],1.0.8812 PUP.Optional.StreamAll, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfkkfgfmlliomakfjlijbpjniajpgboa\1.0.7_0\scripts\sitecontent.js, Quarantined, [14554], [599053],1.0.8812 PUP.Optional.StreamAll, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfkkfgfmlliomakfjlijbpjniajpgboa\1.0.7_0\styles\popup.css, Quarantined, [14554], [599053],1.0.8812 PUP.Optional.StreamAll, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfkkfgfmlliomakfjlijbpjniajpgboa\1.0.7_0\_metadata\computed_hashes.json, Quarantined, [14554], [599053],1.0.8812 PUP.Optional.StreamAll, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfkkfgfmlliomakfjlijbpjniajpgboa\1.0.7_0\_metadata\verified_contents.json, Quarantined, [14554], [599053],1.0.8812 PUP.Optional.StreamAll, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfkkfgfmlliomakfjlijbpjniajpgboa\1.0.7_0\closer.js, Quarantined, [14554], [599053],1.0.8812 PUP.Optional.StreamAll, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfkkfgfmlliomakfjlijbpjniajpgboa\1.0.7_0\popup.html, Quarantined, [14554], [599053],1.0.8812 PUP.Optional.StreamAll, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfkkfgfmlliomakfjlijbpjniajpgboa\1.0.7_0\tab.html, Quarantined, [14554], [599053],1.0.8812 PUP.Optional.ExtensionClicks, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [260], [515122],1.0.8812 PUP.Optional.ExtensionClicks, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [260], [515122],1.0.8812 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  24. What is WowMusix Start?The Malwarebytes research team has determined that WowMusix Start is a search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by WowMusix Start?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You will see this icon in your Chrome menu-bar:and this changed setting:How did WowMusix Start get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from the webstore:after a redirect from their website:How do I remove WowMusix Start?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of WowMusix Start? No, Malwarebytes removes WowMusix Start completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.Technical details for expertsPossible signs in FRST logs: CHR NewTab: Default -> Active:"chrome-extension://agibagflppafhfonkefpklndlohkclcb/index.html" CHR Extension: (WowMusix Start) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb [2019-01-15] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0 Adds the file index.html"="12/9/2015 3:57 PM, 10658 bytes, A Adds the file manifest.json"="1/15/2019 9:03 AM, 1137 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\_metadata Adds the file computed_hashes.json"="1/15/2019 9:03 AM, 12371 bytes, A Adds the file verified_contents.json"="12/9/2015 4:16 PM, 4757 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\icons Adds the file icons_ama.png"="11/19/2015 4:39 PM, 2473 bytes, A Adds the file icons_ebay.png"="11/19/2015 4:39 PM, 2542 bytes, A Adds the file icons_fb.png"="11/19/2015 4:39 PM, 2155 bytes, A Adds the file icons_flickr.png"="11/19/2015 4:39 PM, 2344 bytes, A Adds the file icons_gogleplus.png"="11/19/2015 4:39 PM, 2622 bytes, A Adds the file icons_gomusix.png"="11/19/2015 4:39 PM, 2710 bytes, A Adds the file icons_inst.png"="11/19/2015 4:39 PM, 2407 bytes, A Adds the file icons_linked.png"="11/19/2015 4:39 PM, 2215 bytes, A Adds the file icons_movixHub.png"="11/19/2015 4:39 PM, 2434 bytes, A Adds the file icons_pin.png"="11/19/2015 4:39 PM, 2579 bytes, A Adds the file icons_tumbir.png"="11/19/2015 4:39 PM, 2212 bytes, A Adds the file icons_twi.png"="11/19/2015 4:39 PM, 2451 bytes, A Adds the file icons_yah.png"="11/19/2015 4:39 PM, 2374 bytes, A Adds the file icons_yt.png"="11/19/2015 4:39 PM, 2543 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\imgs Adds the file logo.png"="1/15/2019 9:03 AM, 4126 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\imgs\offers Adds the file classic.png"="11/19/2015 4:39 PM, 23964 bytes, A Adds the file dance.png"="11/19/2015 4:39 PM, 44793 bytes, A Adds the file electro.png"="11/19/2015 4:39 PM, 24754 bytes, A Adds the file jazz.png"="11/19/2015 4:39 PM, 19203 bytes, A Adds the file pop.png"="11/19/2015 4:39 PM, 28281 bytes, A Adds the file rock.png"="11/19/2015 4:39 PM, 38678 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\js Adds the file auto_complete.js"="12/9/2015 4:15 PM, 2493 bytes, A Adds the file background.js"="12/9/2015 3:57 PM, 3551 bytes, A Adds the file bootstrap.min.js"="11/19/2015 4:39 PM, 35607 bytes, A Adds the file content.js"="12/9/2015 4:07 PM, 5369 bytes, A Adds the file jquery.min.js"="11/19/2015 4:39 PM, 93104 bytes, A Adds the file jquery-1.9.1.js"="11/19/2015 4:39 PM, 277978 bytes, A Adds the file jqueryui.min.js"="11/19/2015 4:39 PM, 228013 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "agibagflppafhfonkefpklndlohkclcb"="REG_SZ", "2D2E7C92D72FEFF8647F22550F1E16F7EE304E3D2463A56C51EC6039307F9E88" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/15/19 Scan Time: 9:15 AM Log File: c5ce4d8d-189d-11e9-b4f2-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.8694 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236265 Threats Detected: 42 Threats Quarantined: 42 Time Elapsed: 2 min, 54 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 PUP.Optional.GoMusix.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|agibagflppafhfonkefpklndlohkclcb, Quarantined, [14426], [443087],1.0.8694 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\imgs\offers, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\_metadata, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\icons, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\imgs, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\js, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\AGIBAGFLPPAFHFONKEFPKLNDLOHKCLCB, Quarantined, [14426], [443087],1.0.8694 File: 34 PUP.Optional.GoMusix.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\AGIBAGFLPPAFHFONKEFPKLNDLOHKCLCB\1.0.4_0\INDEX.HTML, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\icons\icons_ama.png, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\icons\icons_ebay.png, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\icons\icons_fb.png, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\icons\icons_flickr.png, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\icons\icons_gogleplus.png, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\icons\icons_gomusix.png, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\icons\icons_inst.png, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\icons\icons_linked.png, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\icons\icons_movixHub.png, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\icons\icons_pin.png, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\icons\icons_tumbir.png, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\icons\icons_twi.png, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\icons\icons_yah.png, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\icons\icons_yt.png, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\imgs\offers\classic.png, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\imgs\offers\dance.png, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\imgs\offers\electro.png, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\imgs\offers\jazz.png, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\imgs\offers\pop.png, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\imgs\offers\rock.png, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\imgs\logo.png, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\js\auto_complete.js, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\js\background.js, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\js\bootstrap.min.js, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\js\content.js, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\js\jquery-1.9.1.js, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\js\jquery.min.js, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\js\jqueryui.min.js, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\_metadata\computed_hashes.json, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\_metadata\verified_contents.json, Quarantined, [14426], [443087],1.0.8694 PUP.Optional.GoMusix.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\agibagflppafhfonkefpklndlohkclcb\1.0.4_0\manifest.json, Quarantined, [14426], [443087],1.0.8694 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  25. What is Seznam?The Malwarebytes research team has determined that Seznam is a bundler. These bundlers typically install potentially unwanted programs (PUPs) or adware on top of the desired software.How do I know if my computer is affected by Seznam?You may see these warnings during install:and these entries in your list of installed Programs and Features:You may see this type of warnings after the installation:and this type of browser extensions if you allow them:How did Seznam get on my computer?Bundlers use different methods for distributing themselves. This particular one was offered by a software promoting site as a mediaplayer.How do I remove Seznam?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Seznam? No, Malwarebytes removes Seznam completely. If you wish to remove the installed programs and extensions you can use the normal procedure from the Windows Control Panel for the programs. This will also remove the browser extensions. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this bundler.As you can see below the full version of Malwarebytes would have protected you against the Seznam bundler. It would have blocked the installer before it became too late. Technical details for expertsPossible signs in FRST logs: () C:\Users\{username}\AppData\Roaming\Seznam.cz\bin\szndesktop.exe () C:\Users\{username}\AppData\Roaming\Seznam.cz\bin\listicka-x64.exe HKLM-x32\...\Run: [seznam-listicka-distribuce] => C:\Program Files (x86)\Seznam.cz\distribution\szninstall.exe [1069296 2018-03-27] () HKCU\...\Run: [cz.seznam.software.autoupdate] => C:\Users\{username}\AppData\Roaming\Seznam.cz\szninstall.exe [1069296 2018-03-27] () HKCU\...\Run: [cz.seznam.software.szndesktop] => C:\Users\{username}\AppData\Roaming\Seznam.cz\bin\wszndesktop.exe [109808 2018-03-27] () CHR Extension: (Seznam doplněk - Email) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bgjpfhpjcgdppjbgnpnjllokbmcdllig [2019-01-14] CHR Extension: (Seznam doplněk - Esko) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olfeabkoenfaoljndfecamgilllcpiak [2019-01-14] CHR HKCU\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bgjpfhpjcgdppjbgnpnjllokbmcdllig] - hxxps://clients2.google.com/service/update2/crx CHR HKCU\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [olfeabkoenfaoljndfecamgilllcpiak] - hxxps://clients2.google.com/service/update2/crx C:\Users\{username}\AppData\Roaming\Seznam.cz C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MPC-HC x64 C:\Program Files\MPC-HC C:\Program Files (x86)\Seznam.cz MPC-HC 1.7.13 (64-bit) (HKLM\...\{2ACBF1FA-F5C3-4B19-A774-B22A31F231B9}_is1) (Version: 1.7.13 - MPC-HC Team) Seznam Software (HKCU\...\SeznamInstall) (Version: 2.1.32 - Seznam.cz) () C:\Users\{username}\AppData\Roaming\Seznam.cz\bin\12599libfoxloader-x64.dll () C:\Users\{username}\AppData\Roaming\Seznam.cz\bin\lightspeed.dll () C:\Users\{username}\AppData\Roaming\Seznam.cz\bin\12595libfoxloader.dll Significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\Seznam.cz\distribution Adds the file partner.conf"="1/14/2019 8:59 AM, 28 bytes, A Adds the file sources.inf"="1/14/2019 8:59 AM, 100 bytes, A Adds the file szninstall.exe"="3/27/2018 3:29 PM, 1069296 bytes, A Adds the file sznsetup.exe"="3/27/2018 2:51 PM, 2596080 bytes, A Adds the folder C:\Program Files (x86)\Seznam.cz\distribution\install Adds the file com.microsoft.msdn.msvcr100-10.0.40219.325-win32.zip"="2/8/2017 4:00 PM, 529195 bytes, A Adds the file com.microsoft.msdn.msvcr110-11.0.51106.1-win32.zip"="7/31/2017 4:22 PM, 631911 bytes, A Adds the file cz.seznam.software.autoupdate-1.0.8-win32.zip"="2/8/2017 4:00 PM, 849 bytes, A Adds the file cz.seznam.software.chromelisticka-2.0.4-win32.zip"="10/31/2017 1:54 PM, 1045 bytes, A Adds the file cz.seznam.software.ielisticka3-3.3.1-win32.zip"="11/22/2017 4:52 PM, 724 bytes, A Adds the file cz.seznam.software.libfoxcub-3.3.4-win32.zip"="11/22/2017 4:38 PM, 2203997 bytes, A Adds the file cz.seznam.software.libfoxcub64-3.3.4-win32.zip"="11/22/2017 4:42 PM, 1053805 bytes, A Adds the file cz.seznam.software.libfoxloader-3.2.7-win32.zip"="11/22/2017 4:40 PM, 42615 bytes, A Adds the file cz.seznam.software.libszndesktop-2.1.29-win32.zip"="11/13/2017 3:38 PM, 1033669 bytes, A Adds the file cz.seznam.software.lightspeed-1210-12.10.12-win32.zip"="2/8/2017 4:00 PM, 313182 bytes, A Adds the file cz.seznam.software.lightspeed-1210-12.10.17-win32.zip"="7/31/2017 4:22 PM, 288347 bytes, A Adds the file cz.seznam.software.pp-1.0.2-win32.zip"="2/8/2017 4:00 PM, 96329 bytes, A Adds the file cz.seznam.software.szndesktop-2.0.31-win32.zip"="7/31/2017 4:22 PM, 42736 bytes, A Adds the file cz.seznam.software.szninstall-1.1.14-win32.zip"="7/31/2017 4:22 PM, 413937 bytes, A Adds the file cz.seznam.software.sznsetup-1.2.6-win32.zip"="7/31/2017 4:22 PM, 1121056 bytes, A Adds the file packages.inf"="11/22/2017 4:58 PM, 12019 bytes, A Adds the file szn-software-base-1.0.0-win32.zip"="2/8/2017 4:00 PM, 719 bytes, A Adds the file szn-software-fflisticka-4.0.4-win32.zip"="10/31/2017 1:54 PM, 5209329 bytes, A Adds the file szn-software-listicka-3.0.0-win32.zip"="2/8/2017 4:00 PM, 1688 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Seznam.cz Adds the file install.log"="1/14/2019 8:59 AM, 52491 bytes, A Adds the file install_packages.log"="1/14/2019 8:59 AM, 1732 bytes, A Adds the file packages.inf"="1/14/2019 8:59 AM, 12828 bytes, A Adds the file partner.conf"="1/14/2019 8:59 AM, 28 bytes, A Adds the file sources.inf"="1/14/2019 8:59 AM, 45 bytes, A Adds the file szninstall.exe"="3/27/2018 3:29 PM, 1069296 bytes, A Adds the file sznsetup.exe"="3/27/2018 2:51 PM, 2596080 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Seznam.cz\bin Adds the file 12595libfoxloader.dll"="11/13/2017 3:49 PM, 85200 bytes, A Adds the file 12599libfoxloader-x64.dll"="11/13/2017 3:46 PM, 92368 bytes, A Adds the file libfoxcub.dll"="2/20/2018 4:25 PM, 1880272 bytes, A Adds the file libfoxcub-x64.dll"="2/20/2018 4:25 PM, 2568400 bytes, A Adds the file lightspeed.dll"="2/21/2018 10:36 AM, 869584 bytes, A Adds the file listicka-x64.exe"="2/8/2017 12:39 PM, 80576 bytes, A Adds the file msvcp100.dll"="7/26/2012 11:44 AM, 421200 bytes, A Adds the file msvcp110.dll"="11/6/2012 2:20 AM, 535008 bytes, A Adds the file msvcr100.dll"="7/26/2012 11:44 AM, 773968 bytes, A Adds the file msvcr110.dll"="11/6/2012 2:20 AM, 875472 bytes, A Adds the file szndesktop.exe"="11/13/2017 3:38 PM, 506064 bytes, A Adds the file sznpp.exe"="5/2/2018 3:57 PM, 1605872 bytes, A Adds the file sznpp_64.exe"="1/14/2019 8:59 AM, 860400 bytes, A Adds the file sznpp_ch_nm.json"="1/14/2019 8:59 AM, 375 bytes, A Adds the file sznpp_ff_nm.json"="1/14/2019 8:59 AM, 312 bytes, A Adds the file unlockInstance.dll"="10/24/2012 4:42 PM, 247352 bytes, A Adds the file wszndesktop.exe"="3/27/2018 3:33 PM, 109808 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Seznam.cz\conf Adds the file szndesktop.conf"="1/6/2015 3:17 PM, 334 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Seznam.cz\conf\libfoxcub Adds the file foxcub.conf"="6/21/2016 8:10 AM, 251 bytes, A Adds the file regcfg.conf"="1/14/2019 8:59 AM, 22 bytes, A Adds the file remote.conf"="1/5/2017 10:26 AM, 11515 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Seznam.cz\conf\szndesktop.d Adds the file installChrome.conf"="1/14/2019 8:59 AM, 190 bytes, A Adds the file libfoxcub.conf"="6/21/2016 8:10 AM, 1448 bytes, A Adds the file libfoxloader.conf"="1/14/2019 8:59 AM, 165 bytes, A Adds the file unlockInstance.conf"="10/22/2012 4:14 PM, 150 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Seznam.cz\data Adds the file listickaconfig.webpak"="2/19/2018 1:12 PM, 71016 bytes, A Adds the file listickanastaveni.webpak"="3/28/2018 1:52 PM, 1075112 bytes, A Adds the file speeddial.webpak"="2/19/2018 1:12 PM, 989872 bytes, A Adds the file szndesktop.webpak"="5/26/2015 1:38 PM, 40568 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Seznam.cz\data\fflisticka Adds the file control.ini"="4/3/2018 2:45 PM, 1045 bytes, A Adds the file install.bat"="4/3/2018 2:46 PM, 698 bytes, A Adds the file seznam_doplnek_email-4.2.1-an+fx-windows.xpi"="4/3/2018 1:26 PM, 3111317 bytes, A Adds the file sko-extension@firma.seznam.cz.xpi"="4/3/2018 1:26 PM, 2874639 bytes, A Adds the file uninstall.bat"="9/22/2017 4:24 PM, 448 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Seznam.cz\install Adds the file com.microsoft.msdn.msvcr100-10.0.40219.325-win32.zip"="2/8/2017 4:00 PM, 529195 bytes, A Adds the file com.microsoft.msdn.msvcr110-11.0.51106.1-win32.zip"="7/31/2017 4:22 PM, 631911 bytes, A Adds the file cz.seznam.software.autoupdate-1.0.8-win32.zip"="2/8/2017 4:00 PM, 849 bytes, A Adds the file cz.seznam.software.chromelisticka-2.0.4-win32.zip"="10/31/2017 1:54 PM, 1045 bytes, A Adds the file cz.seznam.software.ielisticka3-3.3.1-win32.zip"="11/22/2017 4:52 PM, 724 bytes, A Adds the file cz.seznam.software.libfoxcub-3.3.4-win32.zip"="11/22/2017 4:38 PM, 2203997 bytes, A Adds the file cz.seznam.software.libfoxcub64-3.3.4-win32.zip"="11/22/2017 4:42 PM, 1053805 bytes, A Adds the file cz.seznam.software.libfoxloader-3.2.7-win32.zip"="11/22/2017 4:40 PM, 42615 bytes, A Adds the file cz.seznam.software.libszndesktop-2.1.29-win32.zip"="11/13/2017 3:38 PM, 1033669 bytes, A Adds the file cz.seznam.software.lightspeed-1210-12.10.12-win32.zip"="2/8/2017 4:00 PM, 313182 bytes, A Adds the file cz.seznam.software.lightspeed-1210-12.10.17-win32.zip"="7/31/2017 4:22 PM, 288347 bytes, A Adds the file cz.seznam.software.pp-1.0.2-win32.zip"="2/8/2017 4:00 PM, 96329 bytes, A Adds the file cz.seznam.software.szndesktop-2.0.31-win32.zip"="7/31/2017 4:22 PM, 42736 bytes, A Adds the file cz.seznam.software.szninstall-1.1.14-win32.zip"="7/31/2017 4:22 PM, 413937 bytes, A Adds the file cz.seznam.software.sznsetup-1.2.6-win32.zip"="7/31/2017 4:22 PM, 1121056 bytes, A Adds the file packages.inf"="11/22/2017 4:58 PM, 12019 bytes, A Adds the file szn-software-base-1.0.0-win32.zip"="2/8/2017 4:00 PM, 719 bytes, A Adds the file szn-software-fflisticka-4.0.4-win32.zip"="10/31/2017 1:54 PM, 5209329 bytes, A Adds the file szn-software-listicka-3.0.0-win32.zip"="2/8/2017 4:00 PM, 1688 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Seznam.cz\uninstall Adds the file com_microsoft_msdn_msvcr100_10_0_40219_325.install.bat"="8/13/2012 6:58 PM, 56 bytes, A Adds the file com_microsoft_msdn_msvcr100_10_0_40219_325.uninstall.bat"="8/6/2012 1:48 PM, 42 bytes, A Adds the file com_microsoft_msdn_msvcr110_11_0_51106_1.install.bat"="4/30/2015 10:01 AM, 56 bytes, A Adds the file com_microsoft_msdn_msvcr110_11_0_51106_1.uninstall.bat"="4/30/2015 10:01 AM, 42 bytes, A Adds the file cz_seznam_software_autoupdate_1_0_8.install.bat"="2/4/2012 12:45 AM, 133 bytes, A Adds the file cz_seznam_software_autoupdate_1_0_8.uninstall.bat"="2/4/2012 12:42 AM, 104 bytes, A Adds the file cz_seznam_software_chromelisticka_2_0_4.install.bat"="9/7/2017 6:48 PM, 698 bytes, A Adds the file cz_seznam_software_chromelisticka_2_0_4.uninstall.bat"="9/7/2017 6:49 PM, 397 bytes, A Adds the file cz_seznam_software_ielisticka3_3_3_5.install.bat"="6/21/2016 8:10 AM, 26 bytes, A Adds the file cz_seznam_software_ielisticka3_3_3_5.uninstall.bat"="6/21/2016 8:10 AM, 26 bytes, A Adds the file cz_seznam_software_libfoxcub_3_3_8.install.bat"="11/22/2017 4:38 PM, 2513 bytes, A Adds the file cz_seznam_software_libfoxcub_3_3_8.uninstall.bat"="6/21/2016 8:10 AM, 447 bytes, A Adds the file cz_seznam_software_libfoxcub64_3_3_8.install.bat"="6/21/2016 8:10 AM, 479 bytes, A Adds the file cz_seznam_software_libfoxcub64_3_3_8.uninstall.bat"="6/21/2016 8:10 AM, 143 bytes, A Adds the file cz_seznam_software_libfoxloader_3_2_7.install.bat"="1/6/2015 3:17 PM, 665 bytes, A Adds the file cz_seznam_software_libfoxloader_3_2_7.uninstall.bat"="1/6/2015 3:17 PM, 117 bytes, A Adds the file cz_seznam_software_libszndesktop_2_1_32.install.bat"="6/14/2017 4:17 PM, 590 bytes, A Adds the file cz_seznam_software_libszndesktop_2_1_32.reconfigure.bat"="1/6/2015 3:17 PM, 90 bytes, A Adds the file cz_seznam_software_libszndesktop_2_1_32.uninstall.bat"="4/5/2017 1:38 PM, 321 bytes, A Adds the file cz_seznam_software_lightspeed_1210_12_10_18.install.bat"="1/6/2015 3:17 PM, 30 bytes, A Adds the file cz_seznam_software_lightspeed_1210_12_10_18.uninstall.bat"="1/6/2015 3:17 PM, 23 bytes, A Adds the file cz_seznam_software_pp_1_0_2.install.bat"="10/23/2012 2:40 PM, 166 bytes, A Adds the file cz_seznam_software_pp_1_0_2.uninstall.bat"="10/22/2012 4:12 PM, 106 bytes, A Adds the file cz_seznam_software_szndesktop_2_0_32.install.bat"="1/6/2015 3:17 PM, 290 bytes, A Adds the file cz_seznam_software_szndesktop_2_0_32.uninstall.bat"="1/6/2015 3:17 PM, 178 bytes, A Adds the file cz_seznam_software_szninstall_1_1_15.install.bat"="9/13/2012 12:47 PM, 908 bytes, A Adds the file cz_seznam_software_szninstall_1_1_15.uninstall.bat"="9/7/2012 3:00 PM, 181 bytes, A Adds the file cz_seznam_software_sznsetup_1_2_7.install.bat"="9/13/2012 10:39 AM, 90 bytes, A Adds the file cz_seznam_software_sznsetup_1_2_7.uninstall.bat"="9/7/2012 2:48 PM, 21 bytes, A Adds the file szn_software_base_1_0_0.install.bat"="1/5/2012 2:07 PM, 129 bytes, A Adds the file szn_software_base_1_0_0.uninstall.bat"="1/26/2012 3:50 PM, 32 bytes, A Adds the file szn_software_fflisticka_4_0_6.install.bat"="4/3/2018 2:46 PM, 698 bytes, A Adds the file szn_software_fflisticka_4_0_6.uninstall.bat"="9/22/2017 4:24 PM, 448 bytes, A Adds the file szn_software_listicka_3_0_0.install.bat"="6/12/2012 3:05 PM, 1326 bytes, A Adds the file szn_software_listicka_3_0_0.uninstall.bat"="3/15/2012 4:51 PM, 610 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2ACBF1FA-F5C3-4B19-A774-B22A31F231B9}_is1] "Contact"="REG_SZ"", "https://mpc-hc.org/contact-us/" "DisplayIcon"="REG_SZ"", "C:\Program Files\MPC-HC\mpc-hc64.exe" "DisplayName"="REG_SZ"", "MPC-HC 1.7.13 (64-bit)" "DisplayVersion"="REG_SZ"", "1.7.13" "EstimatedSize"="REG_DWORD"", 48168 "HelpLink"="REG_SZ"", "https://trac.mpc-hc.org/" "Inno Setup: App Path"="REG_SZ"", "C:\Program Files\MPC-HC" "Inno Setup: Deselected Components"="REG_SZ"", "" "Inno Setup: Deselected Tasks"="REG_SZ"", "desktopicon\common" "Inno Setup: Icon Group"="REG_SZ"", "MPC-HC x64" "Inno Setup: Language"="REG_SZ"", "en" "Inno Setup: Selected Components"="REG_SZ"", "main,mpciconlib,mpcresources" "Inno Setup: Selected Tasks"="REG_SZ"", "desktopicon,desktopicon\user" "Inno Setup: Setup Type"="REG_SZ"", "default" "Inno Setup: Setup Version"="REG_SZ"", "5.5.9 (u)" "Inno Setup: User"="REG_SZ"", "{username}" "InstallDate"="REG_SZ"", "20190114" "InstallLocation"="REG_SZ"", "C:\Program Files\MPC-HC\" "MajorVersion"="REG_DWORD"", 1 "MinorVersion"="REG_DWORD"", 7 "NoModify"="REG_DWORD"", 1 "NoRepair"="REG_DWORD"", 1 "Publisher"="REG_SZ"", "MPC-HC Team" "QuietUninstallString"="REG_SZ"", ""C:\Program Files\MPC-HC\unins000.exe" /SILENT" "Readme"="REG_SZ"", "C:\Program Files\MPC-HC\Readme.txt" "UninstallString"="REG_SZ"", ""C:\Program Files\MPC-HC\unins000.exe"" "URLInfoAbout"="REG_SZ"", "https://mpc-hc.org/" "URLUpdateInfo"="REG_SZ"", "https://mpc-hc.org/" "VersionMajor"="REG_DWORD"", 1 "VersionMinor"="REG_DWORD"", 7 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "seznam-listicka-distribuce"="REG_SZ"", ""C:\Program Files (x86)\Seznam.cz\distribution\szninstall.exe" -s -d listicka 1 szn-software-listicka cz.seznam.software.autoupdate" [HKEY_CURRENT_USER\Software\Google\Chrome\NativeMessagingHosts\sznpp_nm] "(Default)"="REG_SZ"", "C:\Users\{username}\AppData\Roaming\Seznam.cz\bin\sznpp_ch_nm.json" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "cz.seznam.software.autoupdate"="REG_SZ"", ""C:\Users\{username}\AppData\Roaming\Seznam.cz\szninstall.exe" -c" "cz.seznam.software.szndesktop"="REG_SZ"", ""C:\Users\{username}\AppData\Roaming\Seznam.cz\bin\wszndesktop.exe" -q" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\SeznamInstall] "Comments"="REG_SZ"", "Vsechny aplikace spolecnosti Seznam.cz a.s." "DisplayIcon"="REG_SZ"", "C:\Users\{username}\AppData\Roaming\Seznam.cz\szninstall.exe,0" "DisplayName"="REG_SZ"", "Seznam Software" "DisplayVersion"="REG_SZ"", "2.1.32" "HelpLink"="REG_SZ"", "http://napoveda.seznam.cz/cz/software.html" "InstallLocation"="REG_SZ"", "C:\Users\{username}\AppData\Roaming\Seznam.cz" "ModifyPath"="REG_SZ"", "C:\Users\{username}\AppData\Roaming\Seznam.cz\szninstall.exe" "NoModify"="REG_DWORD"", 0 "NoRepair"="REG_DWORD"", 1 "Publisher"="REG_SZ"", "Seznam.cz" "UninstallString"="REG_SZ"", ""C:\Users\{username}\AppData\Roaming\Seznam.cz\szninstall.exe" -X" "URLInfoAbout"="REG_SZ"", "http://software.seznam.cz" [HKEY_CURRENT_USER\Software\Mozilla\NativeMessagingHosts\sznpp_nm] "(Default)"="REG_SZ"", "C:\Users\{username}\AppData\Roaming\Seznam.cz\bin\sznpp_ff_nm.json" [HKEY_CURRENT_USER\Software\Seznam.cz\distribution] "listicka"="REG_DWORD"", 1 [HKEY_CURRENT_USER\Software\Seznam.cz\sznpp] "che_state"="REG_DWORD"", 32 "chrv_state"="REG_DWORD"", 32 "ff_state_email"="REG_DWORD"", 4 "ff_state_sko"="REG_DWORD"", 4 "lses"="REG_QWORD, .... "ssid"="REG_SZ"", "EF0E98B4-9BD9-40C7-A31A-864CBC4B2313" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/14/19 Scan Time: 9:07 AM Log File: 818c2f60-17d3-11e9-8212-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.8764 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 236211 Threats Detected: 1 Threats Quarantined: 1 Time Elapsed: 2 min, 53 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 PUP.Optional.SeznamToolbar.NSIS, C:\USERS\{username}\DESKTOP\SETUP.EXE, Quarantined, [13850], [623610],1.0.8764 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.