Jump to content

Search the Community

Showing results for tags 'multiplug'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Announcements
    • Malwarebytes News
    • Beta Testing Program
  • Malware Removal Help
    • Windows Malware Removal Help & Support
    • Mac Malware Removal Help & Support
    • Mobile Malware Removal Help & Support
    • Malware Removal Self-Help Guides
  • Malwarebytes for Home Support
    • Malwarebytes for Windows Support Forum
    • Malwarebytes for Mac Support Forum
    • Malwarebytes for Android Support Forum
    • Malwarebytes for iOS Support
    • Malwarebytes Privacy
    • Malwarebytes Browser Guard
    • False Positives
    • Comments and Suggestions
  • Malwarebytes for Business Support
    • Malwarebytes Nebula
    • Malwarebytes Nebula Modules
    • Malwarebytes Endpoint Security
    • Other Malwarebytes Business Products
    • Malwarebytes Business Products Comments and Suggestions
  • Malwarebytes Tools and Other Products
    • Malwarebytes AdwCleaner
    • Malwarebytes Junkware Removal Tool Support
    • Malwarebytes Anti-Rootkit BETA Support
    • Malwarebytes Techbench USB (Legacy)
    • Malwarebytes Secure Backup discontinued
    • Other Tools
    • Malwarebytes Tools Comments and Suggestions
  • General Computer Help and Security Updates
    • BSOD, Crashes, Kernel Debugging
    • General Windows PC Help
  • Research Center
    • Newest Rogue-Ransomware Threats
    • Newest Malware Threats
    • Newest Mobile Threats
    • Newest IP or URL Threats
    • Newest Mac Threats
    • Report Scam Phone Numbers
  • General
    • General Chat
    • Forums Announcements & Feedback

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...


  • Start





Website URL






Found 2 results

  1. Hi, i don't know if this is the right place to ask for my problem/concern, but if is not feel free to move to the right section (and sorry for the mistake). So, few days ago i found on my pc an old software unused by me for at least 3 years (between the last usage and now i upgraded win 7 to win 10. i don't know if this can help or can be a problem in the diagnosis). Just for curiosity and to be sure i used virus total scanner on the .exe file of that software and the results revealed for 3 of 67 analysis scanners that there was a Riskware (0040eff71). My reaction to this was to download ADWcleaner (because it helped me in other circustances in the past) to scan my pc. I don't have anymore the log files because i unistalled ADWcleaner (i regret this decision), but i remember the entries. ADWcleaner only found 2 suspicious results in the Registry field (*only things i don't remember are if HKEY was HKLM or HKCU): PUP.Optional.Legacy key registry HK*/Software/Classes/Interface {ID} PUP.Optional.Multiplug key registry HK*/Software/Classes/TypeLib {ID} At this point i cleaned up with ADWcleaner but the PUP.Optional.Legacy came back once. I cleaned again and also this one disappeared. After this i unistalled ADWcleaner and installed Malwarebytes 3 to make sure nothing else remained. I ran the scan and nothing has been found so i supposed the pc was correctly cleaned, but in the runtime protection of the premium trial i was reported with several venturead.com block site events during my daily navigation. I scanned again with Malwarebytes 3 and i also installed and ran Zemana, but nothing has been reported as malevolous. Looking for advise on internet, i reset the browser and the venturead.com events disappeared. The goal of this topic is mainly to understand the tipe of infection that i faced and if i should be worried about my accounting credentials used during this long time that supposedly i was exposed. So, my questions are: 1) what kind of threats were these of mine? (i would like to understand more about every evidence i described just to learn more about this. i searched on internet but nothing was exactly my case) 2) should i be worried about my credencials? (i usually change passwords every 5, 6 month, last time 2 weeks ago, and always sign in in anonymous browser windows, but i understand that if these threats were severe, like a keylogger, these my habits are meaningless) 3) i sometimes connect my external hdd to make a backup of my personal data (mainly photos, videos and docs). I have done this several times before this episode so, my last question is: Should i be worried about my external hdd or data stored? (i don't know if this helps, but i never executed nothing on that device and i made a scan with Malwarebytes 3 after i finished my fight against the venturead.com thing) I'm sorry for this wall of text and for my english (not so good i know) and i hope u can give me good news about my preoccupation. PS: i forgot to say that the only real symptoms (during the infection period) i perceived were failed attempts (blocked by the browser and the adblock extension) from the browser to open popups/browser cards and, i suppose, too much ads on certain websites (too much considering that i had adblock). i don't know if i had some performance issues because this pc has 9 years old so is actually the normal behavior for me seeing lag spikes on videogames or difficulty in some tasks.
  2. What is Dotdo-Audio? The Malwarebytes research team has determined that Dotdo-Audio is a browser hijacker. These so-called "hijackers" alter your startpage or searchscopes so that the effected browser visits their site or one of their choice. This one uses a "man in the middle" method on Chrome and Firefox. It also uses audio advertisements. How do I know if my computer is affected by Dotdo-Audio? Your computer will slow down considerably. You may hear audio advertisements even when there are no browser windows open. You may notice hidden and renamed files in the Chrome and Firefox application folders. The renamed and hidden files are the original browser executables. You may have seen a few command prompts during install: Using taskkill to shut down Chrome and Firefox processes, so it can replace them. And you may find a few Scheduled Tasks similar to these: How did Dotdo-Audio get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was installed by a trojan. How do I remove Dotdo-Audio? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Dotdo-Audio? No, Malwarebytes' Anti-Malware removes Dotdo-Audio completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. This PUP disables the Windows Defender service. You may want to run services.msc to open Services Manager. Ensure that the Windows Defender service is started and set to Automatic. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Dotdo-Audio hijacker. It would have warned you before the rogue could install itself, giving you a chance to stop it before it became too late. It also stops some of the outgoing connections the adware tries to make: Technical details for experts Signs in a FRST logs: () C:\Program Files (x86)\micra\sacrosanct.exe () C:\Program Files (x86)\umm\rickshaws.exe HKLM\...\Run: [micrometer] => C:\Program Files (x86)\umm\rickshaws.exe [10752 2016-07-19] () HKLM-x32\...\Run: [amputate] => C:\Program Files (x86)\umm\rickshaws.exe [10752 2016-07-19] () HKCU\...\Run: [finish] => C:\Program Files (x86)\umm\rickshaws.exe [10752 2016-07-19] () HKCU\...\Run: [varmints] => C:\Program Files (x86)\umm\rickshaws.exe [10752 2016-07-19] () HKCU\...\Run: [sacrosanct] => C:\Program Files (x86)\micra\sacrosanct.exe [36766 2016-07-19] () HKCU\...\Run: [ens] => C:\Program Files (x86)\umm\rickshaws.exe [10752 2016-07-19] () Startup: C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\heaton.lnk [2016-08-10] ShortcutTarget: heaton.lnk -> C:\Program Files (x86)\umm\rickshaws.exe () S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation) C:\Windows\System32\Tasks\49902965 C:\Windows\System32\Tasks\Pa4990296549902965 C:\Program Files (x86)\umm C:\Program Files (x86)\micra C:\Windows\scid.exe C:\Windows\settings.dll C:\Users\{username}\AppData\Local\66534719.exe C:\Users\{username}\AppData\Local\10262.exe Task: {7183CE50-E79D-43B0-A322-408A35C16BD7} - System32\Tasks\49902965 => C:\Program Files (x86)\umm\rickshaws.exe [2016-07-19] () <==== ATTENTION Task: {7BFBE69C-F99A-4C34-B03B-E764BFEB6C29} - System32\Tasks\Pa4990296549902965 => C:\Program Files (x86)\umm\rickshaws.exe [2016-07-19] () () C:\Users\{username}\AppData\Local\Temp\nseEFCF.tmp\ExecCmd.dll FirewallRules: [{C9C8C4B7-05CB-4F44-B1B7-35C179711A21}] => (Allow) C:\Program Files (x86)\umm\rickshaws.exe Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- In the existing folder C:\Program Files (x86)\Google\Chrome\Application Alters the file chrome.exe 8/3/2016 2:20 AM, 961352 bytes, A ==> 7/19/2016 4:01 AM, 406393 bytes, A Adds the file chrome334.exe"="8/3/2016 2:20 AM, 961352 bytes, H Adds the folder C:\Program Files (x86)\micra Adds the file sacrosanct.exe"="7/19/2016 4:01 AM, 36766 bytes, A In the existing folder C:\Program Files (x86)\Mozilla Firefox Alters the file firefox.exe 6/20/2016 11:22 AM, 392136 bytes, A ==> 7/19/2016 4:01 AM, 406396 bytes, A Adds the file firefox334.exe"="6/20/2016 11:22 AM, 392136 bytes, H Adds the folder C:\Program Files (x86)\umm Adds the file Microsoft.Win32.TaskScheduler.dll"="6/26/2015 9:08 PM, 294400 bytes, A Adds the file rickshaws.exe"="7/19/2016 4:01 AM, 10752 bytes, A Adds the file settings.dll"="7/19/2016 4:01 AM, 6656 bytes, A In the existing folder C:\Users\{username}\AppData\Local Adds the file 10262.exe"="7/19/2016 4:00 AM, 34157 bytes, A Adds the file 66534719.exe"="7/19/2016 4:00 AM, 127638 bytes, A In the existing folder C:\Users\{username}\AppData\Local\Microsoft\Media Player Alters the file CurrentDatabase_372.wmdb 7/20/2016 11:30 AM, 1331200 bytes, A ==> 8/10/2016 8:32 AM, 1331200 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup Adds the file heaton.lnk"="8/10/2016 8:18 AM, 762 bytes, A In the existing folder C:\Windows Adds the file scid.exe"="7/19/2016 4:01 AM, 10752 bytes, A Adds the file settings.dll"="7/19/2016 4:01 AM, 6656 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file 49902965"="8/10/2016 8:19 AM, 3808 bytes, A Adds the file Pa4990296549902965"="8/10/2016 8:19 AM, 3662 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "micrometer"="REG_SZ", ""C:\Program Files (x86)\umm\rickshaws.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender] "DisableAntiSpyware"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "amputate"="REG_SZ", ""C:\Program Files (x86)\umm\rickshaws.exe"" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage\www.everclips.net] "(Default)"="REG_DWORD", 119 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage\www.govids.net] "(Default)"="REG_DWORD", 119 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "ens"="REG_SZ", ""C:\Program Files (x86)\umm\rickshaws.exe"" "finish"="REG_SZ", ""C:\Program Files (x86)\umm\rickshaws.exe"" "sacrosanct"="REG_SZ", ""C:\Program Files (x86)\micra\sacrosanct.exe"" "varmints"="REG_SZ", ""C:\Program Files (x86)\umm\rickshaws.exe"" Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 8/10/2016 Scan Time: 9:35 AM Logfile: mbamDotdoAudio.txt Administrator: Yes Version: Malware Database: v2016.08.10.03 Rootkit Database: v2016.08.09.01 License: Premium Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 317334 Time Elapsed: 10 min, 55 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 3 PUP.Optional.DotDo, C:\Program Files (x86)\micra\sacrosanct.exe, 2100, Delete-on-Reboot, [e3881b2efaa038fe8e73219692726e92] PUP.Optional.DotDo.PrxySvrRST, C:\Program Files (x86)\umm\rickshaws.exe, 3176, Delete-on-Reboot, [8fdc7dcc99014ee88286be20ac558e72] PUP.Optional.DotDo.PrxySvrRST, C:\Program Files (x86)\umm\rickshaws.exe, 2360, Delete-on-Reboot, [8fdc7dcc99014ee88286be20ac558e72] Modules: 0 (No malicious items detected) Registry Keys: 4 PUP.Optional.MultiPlug.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{7183CE50-E79D-43B0-A322-408A35C16BD7}, Delete-on-Reboot, [4922aa9f504a91a5881142882fd31be5], PUP.Optional.MultiPlug.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{7BFBE69C-F99A-4C34-B03B-E764BFEB6C29}, Delete-on-Reboot, [4b20fe4b7e1ce353d2c833972ad80ff1], PUP.Optional.MultiPlug.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\49902965, Delete-on-Reboot, [0d5e0c3d1684c2746834e5e57c861de3], PUP.Optional.MultiPlug.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Pa4990296549902965, Delete-on-Reboot, [f17aea5f4753bb7b4d5004c6c9399967], Registry Values: 8 PUP.Optional.DotDo, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|sacrosanct, "C:\Program Files (x86)\micra\sacrosanct.exe", Quarantined, [e3881b2efaa038fe8e73219692726e92] PUP.Optional.DotDo.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|micrometer, "C:\Program Files (x86)\umm\rickshaws.exe", Quarantined, [8fdc7dcc99014ee88286be20ac558e72] PUP.Optional.DotDo.PrxySvrRST, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|amputate, "C:\Program Files (x86)\umm\rickshaws.exe", Quarantined, [8fdc7dcc99014ee88286be20ac558e72] PUP.Optional.DotDo.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|finish, "C:\Program Files (x86)\umm\rickshaws.exe", Quarantined, [8fdc7dcc99014ee88286be20ac558e72] PUP.Optional.DotDo.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|varmints, "C:\Program Files (x86)\umm\rickshaws.exe", Quarantined, [8fdc7dcc99014ee88286be20ac558e72] PUP.Optional.DotDo.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|ens, "C:\Program Files (x86)\umm\rickshaws.exe", Quarantined, [8fdc7dcc99014ee88286be20ac558e72] PUP.Optional.MultiPlug.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{7183CE50-E79D-43B0-A322-408A35C16BD7}|Path, \49902965, Delete-on-Reboot, [4922aa9f504a91a5881142882fd31be5] PUP.Optional.MultiPlug.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{7BFBE69C-F99A-4C34-B03B-E764BFEB6C29}|Path, \Pa4990296549902965, Delete-on-Reboot, [4b20fe4b7e1ce353d2c833972ad80ff1] Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 10 PUP.Optional.DotDo, C:\Program Files (x86)\micra\sacrosanct.exe, Delete-on-Reboot, [e3881b2efaa038fe8e73219692726e92], PUP.Optional.DotDo.PrxySvrRST, C:\Program Files (x86)\umm\rickshaws.exe, Delete-on-Reboot, [8fdc7dcc99014ee88286be20ac558e72], Trojan.Agent, C:\Users\{username}\Desktop\DotdoSetup.exe, Quarantined, [44271f2acbcfe74f0e7dbea8e51d9769], PUP.Optional.DotDo.PrxySvrRST, C:\Program Files (x86)\umm\settings.dll, Delete-on-Reboot, [363573d6b3e7c86ea24a4e80ec1531cf], Trojan.Agent, C:\Users\{username}\AppData\Local\10262.exe, Quarantined, [e08b8abfff9b9d99bdcefb6b02008b75], PUP.Optional.DotDo.PrxySvrRST, C:\Windows\scid.exe, Quarantined, [f576df6af6a4f83ed236c816778ad828], PUP.Optional.DotDo.PrxySvrRST, C:\Windows\settings.dll, Quarantined, [f17a66e3702afd39ea024985738e17e9], PUP.Optional.MultiPlug.PrxySvrRST, C:\Windows\System32\Tasks\49902965, Quarantined, [cba02f1a14863cfa2a699535689ab050], PUP.Optional.MultiPlug.PrxySvrRST, C:\Windows\System32\Tasks\Pa4990296549902965, Quarantined, [8edde4651b7fd56173213892da28af51], PUP.Optional.DotDo, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\heaton.lnk, Quarantined, [6308fd4c7c1edd593ad4a710788c8d73], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.