Jump to content

Search the Community

Showing results for tags 'rogue.techsupportscam'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Announcements
    • Malwarebytes News
    • Beta Testing Program
  • Malware Removal Help
    • Windows Malware Removal Help & Support
    • Mac Malware Removal Help & Support
    • Mobile Malware Removal Help & Support
    • Malware Removal Self-Help Guides
  • Malwarebytes for Home Support
    • Malwarebytes for Windows Support Forum
    • Malwarebytes for Mac Support Forum
    • Malwarebytes for Android Support Forum
    • Malwarebytes for iOS Support
    • Malwarebytes Privacy
    • Malwarebytes Browser Guard
    • False Positives
    • Comments and Suggestions
  • Malwarebytes for Business Support
    • Malwarebytes Nebula
    • Malwarebytes Nebula Modules
    • Malwarebytes Endpoint Security
    • Other Malwarebytes Business Products
    • Malwarebytes Business Products Comments and Suggestions
  • Malwarebytes Tools and Other Products
    • Malwarebytes AdwCleaner
    • Malwarebytes Junkware Removal Tool Support
    • Malwarebytes Anti-Rootkit BETA Support
    • Malwarebytes Techbench USB (Legacy)
    • Malwarebytes Secure Backup discontinued
    • Other Tools
    • Malwarebytes Tools Comments and Suggestions
  • General Computer Help and Security Updates
    • BSOD, Crashes, Kernel Debugging
    • General Windows PC Help
  • Research Center
    • Newest Rogue-Ransomware Threats
    • Newest Malware Threats
    • Newest Mobile Threats
    • Newest IP or URL Threats
    • Newest Mac Threats
    • Report Scam Phone Numbers
  • General
    • General Chat
    • Forums Announcements & Feedback

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Location


Interests

Found 12 results

  1. MBAM's scheduled scan detected a Rogue.TechSupportScam registry key: tss_log.txt Instead of removing it, I ran a full system scan with MBAM, and I also ran Hitman Pro, Norton, Emsisoft Malware scan, and Windows Defender quick scan. No threats except that MBAM detected the same registry key. Security Check log: SecurityCheck.txt Note: The reason VirtualBox is out-of-date is because the latest version breaks everything FRST: FRST.txtAddition.txt MBAM full scan: MBAM-scan-log.txt(anything in the Shared or Lab folders can be ignored; those threats are not active and are part of my malware samples) The scan also detected these two .dll files, which I have attached. Both are VirusTotal clean. Files: false_positive.zip I went to the key specified but there was nothing there, which worries me. I ran a sfc scan, and it found no issues. As this doesn't scan for malware, it doesn't really mean much. It may - or may not - be relevant, but MBAB keeps showing these two prompts: These just popup while using my device. I scanned that IP with VT and Fortinet was the only one which detected it. There did seem to be some phishing domains on this IP, but the prompt doesn't mention a domain. Detection logs: 2_MBAM.txt1_MBAM.txt3_MBAM.txt I can provide more details as needed
  2. What is Windiskutility? The Malwarebytes research team has determined that Windiskutility is a Tech Support Scam. This one tries to get you to call a French telephone number. How do I know if my computer is affected by Windiskutility? You will see some screens similar to this one shortly after the file is executed: When the three stages are finished you will see this screen: Entering a wrong key and clicking the button behind the textbox gets you this screen: How did Windiskutility get on my computer? Tech Support Scammers use different methods for distributing themselves. This particular one was offered as a Windows driver. How do I remove Windiskutility? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application, but due to the nature of the infection this will require a few extra steps. One of the correct keys to enter is g6r-qrp6-h2. After entering this value by clicking the button you will see: Click OK and the lockscreen will disappear. Then use the Ctrl-Alt-Del keys and Start Task Manager from the resulting screen. In the Windows Task manager click File > New Task (Run...). In the prompt type explorer and click OK. You should now have access to your Desktop again. Then continue with the instructions below. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Windiskutility? No, Malwarebytes removes Windiskutility completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Tech Support Scam. Technical details for experts The screenlocker does not make any significant changes to the system, but it intercepts calls to Taskmanager, the Command prompt and the Run prompt while it is active. Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/28/17 Scan Time: 11:56 AM Log File: bd9d4e8d-ebbd-11e7-aebe-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.3576 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 245269 Threats Detected: 1 Threats Quarantined: 1 Time Elapsed: 1 min, 25 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 Rogue.TechSupportScam, C:\USERS\{username}\DESKTOP\WINDISKUTILITY.EXE, Delete-on-Reboot, [358], [473454],1.0.3576 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  3. What is Troubleshooter? The Malwarebytes research team has determined that Troubleshooter is a Tech Support Scam. This one tries to get you to send $25 to their PayPal account. How do I know if my computer is affected by Troubleshooter? You will see these screens shortly after the file is executed: Clicking Next on the second one gets you this screen: and this one if you follow through: and this one when you try to close your computer after Ctrl-Alt-Del: How did Troubleshooter get on my computer? Tech Support Scammers use different methods for distributing themselves. This particular one was offered as a cracked software installer. How do I remove Troubleshooter? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application, but due to the nature of the infection this will require a few extra steps. Reboot your computer into "Safe Mode". You will see a black screen with Safe Mode in the corners. Use the Ctrl-Alt-Del keys and Start Task Manager from the resulting screen. In the Windows Task manager click File > New Task (Run...). In the prompt type %temp% and click OK. This will open the Temp folder. In that folder find the folder csrvc. In that folder delete the file Troubleshoot.exe Then go back to the Windows Task manager and click File > New Task (Run...). In the prompt type services.msc and click OK. In the list of services find the one called csrvc and rightclick on it. In the poperties screen set the "Startup type" to Disabled. Then use Ctrl-Alt-Del again and Reboot the computer from the resulting screen. After the reboot use the Ctrl-Alt-Del buttons again to Start Task Manager from the resulting screen. Then go back to the Windows Task manager and click File > New Task (Run...). In the prompt type explorer and click OK. You should now have access to your Desktop again. Then continue with the instructions below. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Troubleshooter? No, Malwarebytes removes Troubleshooter completely. You can uninstall adwizz from the list of installed Programs and Features You may still see this message when you reboot: If this is true, and you want to remove it, follow the instructions in the reply to this post. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Tech Support Scam. and blocks the download of additional files: Technical details for experts You may see these entries in FRST logs: HKLM\...\Winlogon: [Shell] C:\Users\{username}\AppData\Local\Temp\csrvc\Troubleshoot.exe, [ ] () <=== ATTENTION HKLM\...\Winlogon: [LegalNoticeCaption] Windows Security Warning !! HKLM\...\Winlogon: [LegalNoticeText] Windows has encountered an unexpected error 0xc0000e9. Your computer is missing .dll files resulting in computer failure. The operating system is not able to load windows kernel files. Repair windows kernel and .dll files with the help of technicians online to prevent hard drive crash or complete data loss. Rebooting the computer multiple times will result in permanent operating system failure. S4 csrvc; C:\Users\{username}\AppData\Local\Temp\csrvc\csrvc.exe [56832 2017-11-24] () [File not signed] C:\Users\{username}\Desktop\InstallUtil.InstallLog C:\Program Files\adwizz Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\adwizz Adds the file adwizz.exe"="11/24/2017 9:05 AM, 67072 bytes, A In the existing folder C:\Users\{username}\Desktop Adds the file InstallUtil.InstallLog"="11/24/2017 9:05 AM, 664 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\csrvc] "Adfly_Urls"="REG_SZ", "" "Banner_Act"="REG_SZ", "True" "BottumBrnAd"="REG_SZ", "" "Computer_Name"="REG_SZ", "{computername}" "Country"="REG_SZ", "" "Cversion"="REG_SZ", "" "Dversion"="REG_SZ", "" "FileLocation"="REG_SZ", "C:\Users\{username}\AppData\Local\Temp\csrvc" "GUID"="REG_SZ", "" "HDD_SerialNo"="REG_SZ", "" "InstalationDateTime"="REG_SZ", "2017-11-24 08:05:22 AM" "Install_ServiceProvider"="REG_SZ", "" "Installation_IP"="REG_SZ","" "IP"="REG_SZ", "" "IsMastered"="REG_SZ", "" "KC_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KF_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KL_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KM_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KT_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KU_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KU_URL"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "Last_IP"="REG_SZ", "" "Last_Seen"="REG_SZ", "2017-11-24 08:05:22 AM" "LeftBrnAd"="REG_SZ", "" "LocalDateTime"="REG_SZ", "" "Logo"="REG_SZ", "" "MAC"="REG_SZ", "" "Manufacturer"="REG_SZ", "" "Message"="REG_SZ", "" "Model"="REG_SZ", "VirtualBox" "Name_OS"="REG_SZ", "Microsoft Windows 7 Ultimate " "PopUp_Act"="REG_SZ", "True" "PopUp_Color"="REG_SZ", "" "Price"="REG_SZ", "$25 USD" "Processor"="REG_SZ", "Intel(R) Core(TM) i7-4720HQ CPU @ 2.60GHz" "RAM"="REG_SZ", "2GB" "Restarter"="REG_SZ", "" "RigthBrnAd"="REG_SZ", "" "ScreenShot"="REG_SZ", "" "SoftwareVersion"="REG_SZ", "3.3" "SysUsername"="REG_SZ", "{username}" "TaskKill"="REG_SZ", "" "TimeZone"="REG_SZ", "" "TollFreeNo"="REG_SZ", "" "TopBrnAd"="REG_SZ", "" "UID_Os"="REG_SZ", "" "Username"="REG_SZ", "khurpechi@gmail.com" "WasOffline"="REG_SZ", "False" "WindowsBrnAd"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "DisabledHotkeys"="REG_SZ", "ER" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] "legalnoticecaption" = REG_SZ, "Windows Security Warning !!" "legalnoticetext" = REG_SZ, "Windows has encountered an unexpected error 0xc0000e9. Your computer is missing .dll files resulting in computer failure. The operating system is not able to load windows kernel files. Repair windows kernel and .dll files with the help of technicians online to prevent hard drive crash or complete data loss. Rebooting the computer multiple times will result in permanent operating system failure." [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\adwizz] "DisplayIcon"="REG_SZ", "C:\Program Files\adwizz\adwizz.exe" "DisplayName"="REG_EXPAND_SZ, "adwizz" "DisplayVersion"="REG_SZ", "v1.0" "InstallLocation"="REG_EXPAND_SZ, "C:\Program Files\adwizz" "Publisher"="REG_SZ", "adwizz" "UninstallString"="REG_EXPAND_SZ, "C:\Program Files\adwizz\Uninstall.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "LegalNoticeCaption" = REG_SZ, "Windows Security Warning !!" "LegalNoticeText" = REG_SZ, "Windows has encountered an unexpected error 0xc0000e9. Your computer is missing .dll files resulting in computer failure. The operating system is not able to load windows kernel files. Repair windows kernel and .dll files with the help of technicians online to prevent hard drive crash or complete data loss. Rebooting the computer multiple times will result in permanent operating system failure." "Shell" = REG_SZ, "C:\Users\{username}\AppData\Local\Temp\csrvc\Troubleshoot.exe," "Userinit" = REG_SZ, "" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control] "SystemStartOptions" = REG_SZ, " NOEXECUTE=OPTIN SAFEBOOT:MINIMAL SOS BOOTLOG NOGUIBOOT BOOTLOGO" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Option] "OptionValue"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment] "SAFEBOOT_OPTION"="REG_SZ", "MINIMAL" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\Windows\CurrentVersion\csrvc] "Adfly_Urls"="REG_SZ", "" "Banner_Act"="REG_SZ", "True" "BottumBrnAd"="REG_SZ", "" "Computer_Name"="REG_SZ", "{computername}" "Country"="REG_SZ", "" "Cversion"="REG_SZ", "" "Dversion"="REG_SZ", "" "FileLocation"="REG_SZ", "C:\Users\{username}\AppData\Local\Temp\csrvc" "GUID"="REG_SZ", "" "HDD_SerialNo"="REG_SZ", "" "InstalationDateTime"="REG_SZ", "2017-11-24 08:05:22 AM" "Install_ServiceProvider"="REG_SZ", "Instera" "Installation_IP"="REG_SZ", "" "IP"="REG_SZ", "" "IsMastered"="REG_SZ", "" "KC_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KF_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KL_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KM_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KT_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KU_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KU_URL"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "Last_IP"="REG_SZ", "" "Last_Seen"="REG_SZ", "2017-11-24 08:05:22 AM" "LeftBrnAd"="REG_SZ", "" "LocalDateTime"="REG_SZ", "" "Logo"="REG_SZ", "" "MAC"="REG_SZ", "08-00-27-75-02-97" "Manufacturer"="REG_SZ", "" "Message"="REG_SZ", "" "Model"="REG_SZ", "VirtualBox" "Name_OS"="REG_SZ", "Microsoft Windows 7 Ultimate " "PopUp_Act"="REG_SZ", "True" "PopUp_Color"="REG_SZ", "" "Price"="REG_SZ", "$25 USD" "Processor"="REG_SZ", "Intel(R) Core(TM) i7-4720HQ CPU @ 2.60GHz" "RAM"="REG_SZ", "2GB" "Restarter"="REG_SZ", "" "RigthBrnAd"="REG_SZ", "" "ScreenShot"="REG_SZ", "" "SoftwareVersion"="REG_SZ", "3.3" "SysUsername"="REG_SZ", "{username}" "TaskKill"="REG_SZ", "" "TimeZone"="REG_SZ", "" "TollFreeNo"="REG_SZ", "" "TopBrnAd"="REG_SZ", "" "UID_Os"="REG_SZ", "" "Username"="REG_SZ", "khurpechi@gmail.com" "WasOffline"="REG_SZ", "False" "WindowsBrnAd"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\Windows\CurrentVersion\csrvc] "Adfly_Urls"="REG_SZ", "" "Banner_Act"="REG_SZ", "True" "BottumBrnAd"="REG_SZ", "" "Computer_Name"="REG_SZ", "{computername}" "Country"="REG_SZ", "" "Cversion"="REG_SZ", "" "Dversion"="REG_SZ", "" "FileLocation"="REG_SZ", "C:\Users\{username}\AppData\Local\Temp\csrvc" "GUID"="REG_SZ", "" "HDD_SerialNo"="REG_SZ", "" "InstalationDateTime"="REG_SZ", "2017-11-24 08:05:22 AM" "Install_ServiceProvider"="REG_SZ", "" "Installation_IP"="REG_SZ", "" "IP"="REG_SZ", "" "IsMastered"="REG_SZ", "" "KC_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KF_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KL_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KM_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KT_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KU_Code"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "KU_URL"="REG_SZ", "j8MNStZGQ9W6uSslKsLhxQ==" "Last_IP"="REG_SZ", "" "Last_Seen"="REG_SZ", "2017-11-24 08:05:22 AM" "LeftBrnAd"="REG_SZ", "" "LocalDateTime"="REG_SZ", "" "Logo"="REG_SZ", "" "MAC"="REG_SZ", "" "Manufacturer"="REG_SZ", "" "Message"="REG_SZ", "" "Model"="REG_SZ", "VirtualBox" "Name_OS"="REG_SZ", "Microsoft Windows 7 Ultimate " "PopUp_Act"="REG_SZ", "True" "PopUp_Color"="REG_SZ", "" "Price"="REG_SZ", "$25 USD" "Processor"="REG_SZ", "Intel(R) Core(TM) i7-4720HQ CPU @ 2.60GHz" "RAM"="REG_SZ", "2GB" "Restarter"="REG_SZ", "" "RigthBrnAd"="REG_SZ", "" "ScreenShot"="REG_SZ", "" "SoftwareVersion"="REG_SZ", "3.3" "SysUsername"="REG_SZ", "{username}" "TaskKill"="REG_SZ", "" "TimeZone"="REG_SZ", "" "TollFreeNo"="REG_SZ", "" "TopBrnAd"="REG_SZ", "" "UID_Os"="REG_SZ", "" "Username"="REG_SZ", "khurpechi@gmail.com" "WasOffline"="REG_SZ", "False" "WindowsBrnAd"="REG_SZ", "" [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "DisabledHotkeys"="REG_SZ", "ER" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION] "Troubleshoot.exe"="REG_DWORD", 11000 Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/24/17 Scan Time: 3:33 PM Log File: 68e06c0d-d124-11e7-917c-080027750297.json Administrator: Yes -Software Information- Version: 3.2.2.2018 Components Version: 1.0.212 Update Package Version: 1.0.3339 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 335122 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 4 min, 32 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 1 Rogue.TechSupportScam, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\csrvc, Quarantined, [387], [461936],1.0.3339 Registry Value: 0 (No malicious items detected) Registry Data: 1 Hijack.Shell.Gen.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|SHELL, Replaced, [15805], [291910],1.0.3339 Data Stream: 0 (No malicious items detected) Folder: 1 Rogue.TechSupportScam, C:\USERS\{username}\APPDATA\LOCAL\TEMP\CSRVC, Quarantined, [387], [461936],1.0.3339 File: 8 Rogue.TechSupportScam, C:\Users\{username}\AppData\Local\Temp\csrvc\BSOD.exe, Quarantined, [387], [461936],1.0.3339 Rogue.TechSupportScam, C:\Users\{username}\AppData\Local\Temp\csrvc\csrvc.exe, Quarantined, [387], [461936],1.0.3339 Rogue.TechSupportScam, C:\Users\{username}\AppData\Local\Temp\csrvc\csrvc.InstallLog, Quarantined, [387], [461936],1.0.3339 Rogue.TechSupportScam, C:\Users\{username}\AppData\Local\Temp\csrvc\csrvc.InstallState, Quarantined, [387], [461936],1.0.3339 Rogue.TechSupportScam, C:\Users\{username}\AppData\Local\Temp\csrvc\Proubleshoot.exe, Quarantined, [387], [461936],1.0.3339 Rogue.TechSupportScam, C:\Users\{username}\AppData\Local\Temp\csrvc\scshtrv.exe, Quarantined, [387], [461936],1.0.3339 Rogue.TechSupportScam, C:\$RECYCLE.BIN\S-1-5-21-.-.-.-1003\$ROV0SDP.EXE, Quarantined, [387], [461980],1.0.3339 Rogue.TechSupportScam, C:\USERS\{username}\DESKTOP\TROUBLESHOOTER.EXE, Quarantined, [387], [461984],1.0.3339 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  4. What is Medi Ads Pro? The Malwarebytes research team has determined that Medi Ads Pro is adware. These adware applications display advertisements not originating from the sites you are browsing. How do I know if my computer is affected by Medi Ads Pro? You may see these proxy settings: How did Medi Ads Pro get on my computer? Adware applications use different methods for distributing themselves. This particular one was installed by a bundler. How do I remove Medi Ads Pro? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Medi Ads Pro? No, Malwarebytes removes Medi Ads Pro completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this adware. As you can see below the full version of Malwarebytes would have protected you against the Medi Ads Pro adware. It would have warned you before the adware could install itself, giving you a chance to stop it before it became too late. The web protection module also blocks the connections it tries to make: Technical details for experts Possible signs in FRST logs: (medipro.com) C:\Windows\{username}-pc\RuntimeBroker.exe (The Privoxy team - www.privoxy.org) C:\Windows\{username}-pc\oxy.exe ProxyEnable: [S-1-5-21-1350903546-318028887-1286703239-1003] => Proxy is enabled. ProxyServer: [S-1-5-21-1350903546-318028887-1286703239-1003] => 127.0.0.1:8118 ManualProxies: 1127.0.0.1:8118 R2 RuntimeBroker; C:\Windows\{username}-pc\RuntimeBroker.exe [574976 2017-11-09] (medipro.com) [File not signed] R2 Telephone; C:\Windows\{username}-pc\oxy.exe [373248 2016-01-22] (The Privoxy team - www.privoxy.org) [File not signed] C:\Windows\{username}-pc (Ads Medi Inc. ) C:\Users\{username}\Desktop\setup.exe (adsmedipro.com) C:\Users\{username}\Desktop\cross1467io.exe () C:\Windows\{username}-pc\mgwz.dll Changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Windows\{username}-pc Adds the file config.txt"="3/29/2016 4:52 AM, 407 bytes, A Adds the file default.action"="2/7/2016 7:40 PM, 21 bytes, A Adds the file default.filter"="10/11/2017 9:08 PM, 110 bytes, A Adds the file mgwz.dll"="1/22/2016 6:15 PM, 86528 bytes, A Adds the file oxy.exe"="1/22/2016 6:15 PM, 373248 bytes, A Adds the file oxy.log"="11/16/2017 8:49 AM, 0 bytes, A Adds the file RuntimeBroker.exe"="11/9/2017 7:50 PM, 574976 bytes, A Adds the file uninstall.bat"="9/10/2016 6:02 AM, 215 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{6019D1A7-E09F-4355-94DB-4A74F070BE40}] "uuid"="REG_SZ", "B390BC4A5c503b7" "Version"="REG_SZ", "1.04" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RuntimeBroker] "Description"="REG_SZ", "Helps protect users from Runtime Errors" "DisplayName"="REG_SZ", "RuntimeBroker" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, "C:\Windows\{username}-pc\RuntimeBroker.exe" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 "WOW64"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Telephone] "Description"="REG_SZ", "Provides Telephony API (TAPI) support for programs that control telephony devices on the local computer and, through the LAN, on servers that are also running the service." "DisplayName"="REG_SZ", "Telephone" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, "C:\Windows\{username}-pc\oxy.exe --service" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 "WOW64"="REG_DWORD", 1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings] "ProxyEnable REG_DWORD, 0 ==> REG_DWORD, 1 "ProxyServer"="REG_SZ", "127.0.0.1:8118" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/16/17 Scan Time: 9:17 AM Log File: a8374a4f-caa6-11e7-a0b3-080027750297.json Administrator: Yes -Software Information- Version: 3.2.2.2018 Components Version: 1.0.212 Update Package Version: 1.0.3269 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 333810 Threats Detected: 18 Threats Quarantined: 18 Time Elapsed: 2 min, 32 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 Adware.Privoxy, C:\WINDOWS\{computername}\OXY.EXE, Quarantined, [1488], [385808],1.0.3269 Module: 1 Adware.Privoxy, C:\WINDOWS\{computername}\OXY.EXE, Quarantined, [1488], [385808],1.0.3269 Registry Key: 4 PUM.Optional.ProxyHijacker, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NLASVC\PARAMETERS\INTERNET\MANUALPROXIES, Delete-on-Reboot, [8617], [-1],0.0.0 PUM.Optional.ProxyHijacker, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\Telephone, Delete-on-Reboot, [8617], [-1],0.0.0 PUM.Optional.ProxyHijacker, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\RuntimeBroker, Delete-on-Reboot, [8617], [-1],0.0.0 Adware.Privoxy, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TELEPHONE, Delete-on-Reboot, [1488], [385808],1.0.3269 Registry Value: 7 PUM.Optional.ProxyHijacker, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYSERVER, Delete-on-Reboot, [8617], [250493],1.0.3269 PUM.Optional.ProxyHijacker, HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Delete-on-Reboot, [8617], [-1],0.0.0 PUM.Optional.ProxyHijacker, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Delete-on-Reboot, [8617], [-1],0.0.0 PUM.Optional.ProxyHijacker, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Delete-on-Reboot, [8617], [-1],0.0.0 PUM.Optional.ProxyHijacker, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYSERVER, Delete-on-Reboot, [8617], [-1],0.0.0 PUM.Optional.ProxyHijacker, HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Delete-on-Reboot, [8617], [-1],0.0.0 Adware.Privoxy, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TELEPHONE|IMAGEPATH, Delete-on-Reboot, [1488], [385808],1.0.3269 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 5 PUM.Optional.ProxyHijacker, C:\WINDOWS\{computername}\oxy.exe, Delete-on-Reboot, [8617], [-1],0.0.0 PUM.Optional.ProxyHijacker, C:\WINDOWS\{computername}\RuntimeBroker.exe, Delete-on-Reboot, [8617], [-1],0.0.0 Adware.Privoxy, C:\WINDOWS\{computername}\OXY.EXE, Delete-on-Reboot, [1488], [385808],1.0.3269 Rogue.TechSupportScam, C:\USERS\{username}\DESKTOP\CROSS1467IO.EXE, Delete-on-Reboot, [387], [458358],1.0.3269 Rogue.TechSupportScam, C:\USERS\{username}\DESKTOP\SETUP.EXE, Delete-on-Reboot, [387], [458366],1.0.3269 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  5. What is WMPlayer TSS? The Malwarebytes research team has determined that WMPlayer TSS is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end. How do I know if my computer is affected by WMPlayer TSS? You will see this screen as soon as the file is executed: How did WMPlayer TSS get on my computer? Tech Support Scammers use different methods for distributing themselves. This particular one was offered as a media player. How do I remove WMPlayer TSS? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application, but due to the nature of the infection this will require a few extra steps. There are several options, but if a simple reboot does not fix the problem, the easiest method is to enter the password in the text field before the Activate Now button. Note that the password for the prompt is 8716098676542789. Once you succeed, screenlocker will disappear, at that point you can use Ctr-Alt-Del to access Taskmanager. If still active End the process called wmplayer.exe. Then use Taskmanager to Run explorer. Then continue with the instructions below. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of WMPlayer TSS? No, Malwarebytes removes WMPlayer TSS completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Tech Support Scam. and the exploit protection module would have prevented the program from blocking your screen. Technical details for experts You may see these entries in FRST logs: (Microsoft) C:\Users\{username}\Desktop\wmplayer.exe Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/17/17 Scan Time: 11:28 AM Log File: mbamWMPlayer.txt Administrator: Yes -Software Information- Version: 3.1.2.1733 Components Version: 1.0.160 Update Package Version: 1.0.2606 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 321549 Threats Detected: 3 Threats Quarantined: 3 Time Elapsed: 1 min, 31 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 1 Rogue.TechSupportScam, C:\USERS\{username}\DESKTOP\WMPLAYER.EXE, Quarantined, [382], [426298],1.0.2606 Module: 1 Rogue.TechSupportScam, C:\USERS\{username}\DESKTOP\WMPLAYER.EXE, Quarantined, [382], [426298],1.0.2606 Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 Rogue.TechSupportScam, C:\USERS\{username}\DESKTOP\WMPLAYER.EXE, Delete-on-Reboot, [382], [426298],1.0.2606 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  6. What is PCPrivacyProtect? The Malwarebytes research team has determined that PCPrivacyProtect is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end. How do I know if my computer is affected by PCPrivacyProtect? You will see this screen shortly after the file is executed: and you may see these screens during the course of operations: How did PCPrivacyProtect get on my computer? Tech Support Scammers use different methods for distributing themselves. This particular one was bundled with other software. How do I remove PCPrivacyProtect? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of PCPrivacyProtect? No, Malwarebytes removes PCPrivacyProtect completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Tech Support Scam. Technical details for experts You may see these entries in FRST logs: (Fraudscore) C:\Users\{username}\Downloads\PCPrivacyProtect.exe C:\Users\{username}\Downloads\PCPrivacyProtect.FRA C:\Users\{username}\Downloads\PCPrivacyProtect.json Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- In the existing folder C:\Users\{username}\Downloads Adds the file PCPrivacyProtect.FRA"="8/25/2017 11:48 AM, 696992 bytes, A Adds the file PCPrivacyProtect.json"="8/25/2017 11:48 AM, 499 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Fraudscore\PC Privacy Protect] "cnt"="REG_DWORD", 1 "scan"="REG_BINARY, .... Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/25/17 Scan Time: 11:55 AM Log File: 879405dc-897b-11e7-af31-080027750297.json Administrator: Yes -Software Information- Version: 3.2.2.2018 Components Version: 1.0.186 Update Package Version: 1.0.2656 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 316903 Threats Detected: 4 Threats Quarantined: 4 Time Elapsed: 3 min, 32 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 Rogue.TechSupportScam, C:\USERS\{username}\DOWNLOADS\PCPRIVACYPROTECT.EXE, Quarantined, [383], [427956],1.0.2656 Module: 1 Rogue.TechSupportScam, C:\USERS\{username}\DOWNLOADS\PCPRIVACYPROTECT.EXE, Quarantined, [383], [427956],1.0.2656 Registry Key: 1 Rogue.TechSupportScam, HKCU\SOFTWARE\FRAUDSCORE\PC Privacy Protect, Delete-on-Reboot, [383], [427957],1.0.2656 Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 Rogue.TechSupportScam, C:\USERS\{username}\DOWNLOADS\PCPRIVACYPROTECT.EXE, Delete-on-Reboot, [383], [427956],1.0.2656 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  7. What is TSS Power Update? The Malwarebytes research team has determined that TSS Power Update is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end. How do I know if my computer is affected by TSS Power Update? You may see this warning when the installer is run: and see a browser window open to a yola site which has been closed down. You will see a screen composed of these elements when the computer reboots: and in the background a prompt for this download: which would install this very similar pest. How did TSS Power Update get on my computer? Tech Support Scammers use different methods for distributing themselves. This particular one was offered a an Adobe Flash update. How do I remove TSS Power Update? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application, but due to the nature of the infection this will require a few extra steps. Note that the password for the prompt is mi89, but it might require a few tries. Once you succeed, the text field of the prompt will be greyed out, at that point you can use Ctr-Alt-Del to access Taskmanager. End the processes called R.exe and fatalerror.exe. Then use Taskmanager to Run explorer. Leave Taskmanager open as you may have to End the process called R.exe again. Then continue with the instructions below. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of TSS Power Update? No, Malwarebytes' Anti-Malware removes TSS Power Update completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Tech Supprt Scam. Technical details for experts You may see these entries in FRST logs: HKLM-x32\...\Run: [L] => C:\Program Files (x86)\Power Update\R.exe [90112 2016-08-23] () HKLM-x32\...\Winlogon: [Shell] C:\Program Files (x86)\Power Update\fatalerror.exe,C:\Program Files (x86)\Power Update\R.exe [90112 ] () <=== ATTENTION HKCU\...\Run: [AdobeFlash] => C:\Program Files (x86)\Power Update\Adobeflash.exe [24576 2016-08-19] () HKCU\...\Run: [L] => C:\Program Files (x86)\Power Update\R.exe [90112 2016-08-23] () HKCU\...\Winlogon: [Shell] C:\Program Files (x86)\Power Update\R.exe [90112 2016-08-23] () <==== ATTENTION C:\Program Files\Pc Optimizer C:\Program Files (x86)\Power Update C:\Program Files (x86)\Pc Optimizer Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\Pc Optimizer\Pc Optimizer Adds the file Windows.exe"="8/13/2016 1:06 AM, 0 bytes, A Adds the folder C:\Program Files (x86)\Pc Optimizer\Pc Optimizer Adds the file Windows.exe"="8/13/2016 1:06 AM, 0 bytes, A Adds the folder C:\Program Files (x86)\Power Update Adds the file Adobeflash.exe"="8/19/2016 10:11 PM, 24576 bytes, A Adds the file ClearLock.ini"="8/10/2016 2:20 AM, 40 bytes, A Adds the file fatalerror.exe"="8/23/2016 11:50 PM, 820373 bytes, A Adds the file R.exe"="8/24/2016 12:11 AM, 90112 bytes, A Adds the file sr60.bat"="8/24/2016 12:17 AM, 186 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "L"="REG_SZ", "C:\Program Files (x86)\Power Update\R.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell" = REG_SZ, "C:\Program Files (x86)\Power Update\fatalerror.exe,C:\Program Files (x86)\Power Update\R.exe" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "AdobeFlash"="REG_SZ", "C:\Program Files (x86)\Power Update\Adobeflash.exe" "L"="REG_SZ", "C:\Program Files (x86)\Power Update\R.exe" [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell"="REG_SZ", "C:\Program Files (x86)\Power Update\fatalerror.exe,C:\Program Files (x86)\Power Update\R.exe" [HKEY_CURRENT_USER\Software\Power Update\Power Update] "Path"="REG_SZ", "" Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/19/16 Scan Time: 9:04 AM Logfile: mbamPowerUpdate.txt Administrator: Yes -Software Information- Version: 3.0.4.1269 Components Version: 1.0.39 Update Package Version: 1.0.784 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 352049 Time Elapsed: 6 min, 40 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 5 Rogue.TechSupportScam, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|AdobeFlash, Delete-on-Reboot, [264], [319015],1.0.784 Rogue.TechSupportScam, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|L, Delete-on-Reboot, [264], [315581],1.0.784 Rogue.TechSupportScam, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|L, Delete-on-Reboot, [264], [315581],1.0.784 Trojan.Agent, HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|SHELL, Delete-on-Reboot, [22], [222712],1.0.784 Hijack.Shell, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|SHELL, Replace-on-Reboot, [625], [308938],1.0.784 Data Stream: 0 (No malicious items detected) Folder: 1 Rogue.TechSupportScam, C:\PROGRAM FILES (X86)\POWER UPDATE, Delete-on-Reboot, [264], [315581],1.0.784 File: 5 Rogue.TechSupportScam, C:\PROGRAM FILES (X86)\POWER UPDATE\ADOBEFLASH.EXE, Delete-on-Reboot, [264], [319015],1.0.784 Rogue.TechSupportScam, C:\PROGRAM FILES (X86)\POWER UPDATE\CLEARLOCK.INI, Delete-on-Reboot, [264], [315581],1.0.784 Rogue.TechSupportScam, C:\Program Files (x86)\Power Update\fatalerror.exe, Delete-on-Reboot, [264], [315581],1.0.784 Rogue.TechSupportScam, C:\Program Files (x86)\Power Update\R.exe, Delete-on-Reboot, [264], [315581],1.0.784 Rogue.TechSupportScam, C:\Program Files (x86)\Power Update\sr60.bat, Delete-on-Reboot, [264], [315581],1.0.784 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  8. What is Hallmark Card TSS? The Malwarebytes research team has determined that Hallmark Card TSS is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end. How do I know if my computer is affected by Hallmark Card TSS? You will see this screen as soon as the executable is run: which will go away if you click the "Exit" button, but this screen will appear after a reboot: How did Hallmark Card TSS get on my computer? Tech Support Scammers use different methods for distributing themselves. This particular one was installed by a trojan. How do I remove Hallmark Card TSS? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application, but due to the nature of the infection this will require a few extra steps. Reboot the computer into Safe Mode with Networking. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer back into normal mode. Thanks to @TheWack0lian we have the codes to unlock the Tech Support lockscreen. "13544687" hides it for 10 minutes and "642358497351" uninstalls the software. Is there anything else I need to do to get rid of Hallmark Card TSS? No, Malwarebytes' Anti-Malware removes Hallmark Card TSS completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Tech Supprt Scam. Technical details for experts You may see these entries in FRST logs: HKCU\...\Run: [Windows Authorization] => C:\Users\{username}\AppData\Roaming\WinErr\WinErr.exe [214016 2016-11-01] (Microsoft) C:\Users\{username}\AppData\Roaming\WinErr Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Roaming\WinErr Adds the file WinErr.exe"="11/1/2016 9:11 AM, 214016 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Windows Authorization"="REG_SZ", "C:\Users\{username}\AppData\Roaming\WinErr\WinErr.exe" Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 11/1/2016 Scan Time: 11:09 AM Logfile: mbamHallmarkTSS.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.11.01.05 Rootkit Database: v2016.10.31.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Disabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 326864 Time Elapsed: 8 min, 24 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 1 Rogue.TechSupportScam, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Windows Authorization, C:\Users\{username}\AppData\Roaming\WinErr\WinErr.exe, Quarantined, [e336a813acee52e4ab54a54d05ff3fc1] Registry Data: 0 (No malicious items detected) Folders: 1 Rogue.TechSupportScam, C:\Users\{username}\AppData\Roaming\WinErr, Quarantined, [0c0df8c3009acf678f7301f2a75d5ba5], Files: 2 Rogue.TechSupportScam, C:\Users\{username}\AppData\Roaming\WinErr\WinErr.exe, Quarantined, [e336a813acee52e4ab54a54d05ff3fc1], Rogue.TechSupportScam, C:\Users\{username}\Desktop\Card.exe, Quarantined, [33e6605b5545e25456a912e0fd07cb35], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  9. What is Intel TSS? The Malwarebytes research team has determined that Intel TSS is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end. How do I know if my computer is affected by Intel TSS? You may see this entry in your list of installed programs: How did Intel TSS get on my computer? Tech Support Scammers use different methods for distributing themselves. This particular one was offered as an Intel graphics driver. But it installs files that will produce a fake Windows BSOD screen with the Tech Support Scammers number. How do I remove Intel TSS? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application. Due to the nature of the program there are a few things to do before you can start cleaning. Use the Ctrl-Alt-Del key combination to invoke Task Manager. In the list of active processes select the one that is called Intel.exe with the Description "Intel HD Graphics". Use the "End Process" button to stop the selected process and confirm the action in the resulting prompt. Then you can download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Intel TSS? No, Malwarebytes' Anti-Malware removes Intel TSS completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Tech Supprt Scam. Technical details for experts You may see these entries in FRST logs: (Intel Corporation) C:\Windows\Intel Corporation\Intel HD Graphics\Intel.exe HKCU\...\Run: [Intel HD Graphics] => C:\Windows\Intel Corporation\Intel HD Graphics\Intel.exe [487424 2016-10-09] (Intel Corporation) C:\Windows\Intel Corporation Intel HD Graphics (HKLM-x32\...\Intel HD Graphics) (Version: 10.1.5.10 - Intel Corporation) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Windows\Intel Corporation\Intel HD Graphics Adds the file Intel.exe"="10/9/2016 8:18 PM, 487424 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Intel HD Graphics] "DisplayIcon"="REG_SZ", "C:\Windows\Intel Corporation\Intel HD Graphics\Uninstall.exe" "DisplayName"="REG_SZ", "Intel HD Graphics" "DisplayVersion"="REG_SZ", "10.1.5.10" "EstimatedSize"="REG_DWORD", 476 "InstallDate"="REG_SZ", "20161011" "InstallLocation"="REG_SZ", "C:\Windows\Intel Corporation\Intel HD Graphics\" "InstallSource"="REG_SZ", "C:\Users\{username}\Desktop\" "Language"="REG_DWORD", 1033 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Intel Corporation" "UninstallString"="REG_SZ", "C:\Windows\Intel Corporation\Intel HD Graphics\Uninstall.exe" "VersionMajor"="REG_DWORD", 10 "VersionMinor"="REG_DWORD", 1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Intel HD Graphics"="REG_SZ", "C:\Windows\Intel Corporation\Intel HD Graphics\Intel.exe" Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 10/11/2016 Scan Time: 12:51 PM Logfile: mbamIntelTSS.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.10.11.04 Rootkit Database: v2016.09.26.02 License: Premium Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 323931 Time Elapsed: 8 min, 54 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 1 Rogue.TechSupportScam, C:\Windows\Intel Corporation\Intel HD Graphics\Intel.exe, 2160, Delete-on-Reboot, [717f970022789d9998809e6e679e4ab6] Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 1 Rogue.TechSupportScam, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Intel HD Graphics, C:\Windows\Intel Corporation\Intel HD Graphics\Intel.exe, Quarantined, [717f970022789d9998809e6e679e4ab6] Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 2 Rogue.TechSupportScam, C:\Windows\Intel Corporation\Intel HD Graphics\Intel.exe, Delete-on-Reboot, [717f970022789d9998809e6e679e4ab6], Rogue.TechSupportScam, C:\Users\{username}\Desktop\Setup32.exe, Quarantined, [2ac627706d2d3303bd641bf1b94c3ec2], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  10. What is Regfixer Offer TSS? The Malwarebytes research team has determined that Regfixer Offer TSS is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end. How do I know if my computer is affected by Regfixer Offer TSS? You will see this screen immediately after running the file and when the computer boots: How did Regfixer Offer TSS get on my computer? Tech Support Scammers use different methods for distributing themselves. This particular one was offered as a free version of Regfixer. But it only installs files that will produce a fake Windows warning screen with the Tech Support Scammers number. How do I remove Regfixer Offer TSS? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application, but due to the nature of the infection it takes some extra steps. The screenlocker keeps grabbing focus so it's virtually impossible to make use of Task Manager. So the easiest option is to reboot into Safe Mode with Networking and then follow the instructions below. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Regfixer Offer TSS? No, Malwarebytes' Anti-Malware removes Regfixer Offer TSS completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Tech Supprt Scam. Technical details for experts You may see these entries in FRST logs: Startup: C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FreeDownloadmanager.exe [2016-08-26] () Startup: C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tascmgr.exe.lnk [2016-08-26] ShortcutTarget: tascmgr.exe.lnk -> C:\Users\{username}\AppData\Roaming\MicrosoftExch\tascmgr.exe () Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup Adds the file FreeDownloadmanager.exe"="8/26/2016 8:47 AM, 545280 bytes, A Adds the file tascmgr.exe.lnk"="8/26/2016 8:51 AM, 1073 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\MicrosoftExch Adds the file installdetails.txt"="8/26/2016 8:48 AM, 0 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="8/26/2016 8:47 AM, 49152 bytes, A Adds the file Interop.Scripting.dll"="8/26/2016 8:47 AM, 32768 bytes, A Adds the file PlatformInfo.dll"="8/26/2016 8:47 AM, 27136 bytes, A Adds the file tascmgr.exe"="8/26/2016 8:47 AM, 78336 bytes, A Adds the file tascmgr.exe.config"="8/26/2016 8:47 AM, 643 bytes, A Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 8/26/2016 Scan Time: 9:01 AM Logfile: mbamRegfixOffer.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.08.26.04 Rootkit Database: v2016.08.15.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Disabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 318476 Time Elapsed: 8 min, 18 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 1 Rogue.TechSupportScam, C:\Users\{username}\AppData\Roaming\MicrosoftExch, Quarantined, [0d9f9fb06139f343b243c6092dd7ba46], Files: 12 Backdoor.Bot, C:\Users\{username}\AppData\Roaming\MicrosoftExch\tascmgr.exe, Quarantined, [7c30cb84405a1c1a0f12cff80103ab55], Trojan.Injector, C:\Users\{username}\Desktop\FreeDownloadmanager.exe, Quarantined, [78344807f6a4cc6abb030dcc9470629e], Trojan.Downloader, C:\Users\{username}\Desktop\regfixer_offer.exe, Quarantined, [4d5fa5aab0ea62d4d608835563a19769], Backdoor.Bot, C:\Users\{username}\Desktop\tascmgr.exe, Quarantined, [6b41d07f4e4c3cfaa47db116996bc33d], Trojan.Injector, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FreeDownloadmanager.exe, Quarantined, [5b51aba49505d561734bfedbc242f10f], PUP.Optional.FreeDownloadManager, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FreeDownloadmanager.exe, Quarantined, [119bbd926d2d44f227cfaf110cf835cb], Trojan.TechSupportScam, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tascmgr.exe.lnk, Quarantined, [ecc06ce366345cda1264cff24db7f60a], Rogue.TechSupportScam, C:\Users\{username}\AppData\Roaming\MicrosoftExch\tascmgr.exe.config, Quarantined, [0d9f9fb06139f343b243c6092dd7ba46], Rogue.TechSupportScam, C:\Users\{username}\AppData\Roaming\MicrosoftExch\installdetails.txt, Quarantined, [0d9f9fb06139f343b243c6092dd7ba46], Rogue.TechSupportScam, C:\Users\{username}\AppData\Roaming\MicrosoftExch\Interop.IWshRuntimeLibrary.dll, Quarantined, [0d9f9fb06139f343b243c6092dd7ba46], Rogue.TechSupportScam, C:\Users\{username}\AppData\Roaming\MicrosoftExch\Interop.Scripting.dll, Quarantined, [0d9f9fb06139f343b243c6092dd7ba46], Rogue.TechSupportScam, C:\Users\{username}\AppData\Roaming\MicrosoftExch\PlatformInfo.dll, Quarantined, [0d9f9fb06139f343b243c6092dd7ba46], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  11. What is PC Cleaner Pro? The Malwarebytes research team has determined that PC Cleaner Pro is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end. How do I know if my computer is affected by PC Cleaner Pro? You may see this warning during install: You may see this window that covers your whole screen: and these windows while trying to get out of the locked screen: How did PC Cleaner Pro get on my computer? Tech Support Scammers use different methods for distributing themselves. This particular one was offered as a PC cleanerb, but it also installs files that will produce a fake Windows Activation screen with the Tech Support Scammers number. How do I remove PC Cleaner Pro? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application. But due to the behaviour of the program you will have to reboot into Safe Mode with Networking first. Alternatively you can try to get out of the lockscreen by typing "closecloseclosecloseclose" in the main form and click on the "Activate" button. You will get a confirmation prompt. Close that prompt and you will be sent back to your desktop. There you may see the main screen of the PC Cleaner Pro part of the setup. But that will not stop you from downloading and running Malwarebytes Anti-Malware. After following either method continue with the instructions below. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Windows Games TSS? No, Malwarebytes' Anti-Malware removes Windows Games TSS completely. Is there anything else I need to do to get rid of PC Cleaner Pro? No, Malwarebytes' Anti-Malware removes PC Cleaner Pro completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Tech Supprt Scam. Technical details for experts You may see these entries in FRST logs: () C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\PC JUNKCLEANER.exe HKCU\...\Run: [PC JUNKCLEANER] => C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\PC JUNKCLEANER.exe [1636352 2016-08-07] () HKCU\...\Run: [POKEMONEGOGAMES] => C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\NewWindowActivation.exe [568320 2016-08-07] (Microsoft) C:\Users\{username}\Documents\PcjunkCleaner.xml C:\Program Files (x86)\A POKEMONGO Company (A POKEMONGO Company) C:\Users\{username}\Desktop\PCcleanerpro.exe PC Cleaner Pro (x32 Version: 1.0.0 - A POKEMONGO Company) Hidden Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro Adds the file ClearBrowserHistory.dll"="10/9/2015 8:53 PM, 89088 bytes, A Adds the file ClearClipboard.dll"="10/9/2015 8:37 PM, 40960 bytes, A Adds the file ClearRecycleBin.dll"="10/9/2015 8:38 PM, 83968 bytes, A Adds the file NewWindowActivation.exe"="8/7/2016 9:27 AM, 568320 bytes, A Adds the file PC JUNKCLEANER.exe"="8/7/2016 8:47 AM, 1636352 bytes, A Adds the file RunClearHistory.dll"="10/9/2015 8:39 PM, 43008 bytes, A Adds the folder C:\Windows\Installer\{68A9A36C-796C-406E-BF55-3F10D14A336F} Adds the file pokemonego.exe"="8/16/2016 8:29 AM, 370070 bytes, RA Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\C63A9A86C697E604FB55F3011DA433F6] "AdvertiseFlags"="REG_DWORD", 388 "Assignment"="REG_DWORD", 1 "AuthorizedLUAApp"="REG_DWORD", 0 "Clients"="REG_MULTI_SZ, ": " "DeploymentFlags"="REG_DWORD", 3 "InstanceType"="REG_DWORD", 0 "Language"="REG_DWORD", 1033 "PackageCode"="REG_SZ", "DDAA172B049366441A959D3FDCDABA6B" "ProductIcon"="REG_SZ", "C:\Windows\Installer\{68A9A36C-796C-406E-BF55-3F10D14A336F}\pokemonego.exe" "ProductName"="REG_SZ", "PC Cleaner Pro" "Version"="REG_DWORD", 16777216 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\C63A9A86C697E604FB55F3011DA433F6\SourceList] "LastUsedSource"="REG_EXPAND_SZ, "n;1;C:\Users\{username}\AppData\Roaming\A POKEMONGO Company\PC Cleaner Pro 1.0.0\install\14A336F\" "PackageName"="REG_SZ", "PokemoneGoGames.msi" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\C63A9A86C697E604FB55F3011DA433F6\SourceList\Media] "1"="REG_SZ", ";" "DiskPrompt"="REG_SZ", "[1]" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\C63A9A86C697E604FB55F3011DA433F6\SourceList\Net] "1"="REG_EXPAND_SZ, "C:\Users\{username}\AppData\Roaming\A POKEMONGO Company\PC Cleaner Pro 1.0.0\install\14A336F\" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0CC6001FF20744C46A8600498CDD92D9] "C63A9A86C697E604FB55F3011DA433F6"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders] "C:\Program Files (x86)\A POKEMONGO Company\"="REG_SZ", "" "C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\"="REG_SZ", "" "C:\Windows\Installer\{68A9A36C-796C-406E-BF55-3F10D14A336F}\"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\C63A9A86C697E604FB55F3011DA433F6\InstallProperties] "AuthorizedCDFPrefix"="REG_SZ", "" "Comments"="REG_SZ", "This installer database contains the logic and data required to install PC Cleaner Pro." "Contact"="REG_SZ", "" "DisplayName"="REG_SZ", "PC Cleaner Pro" "DisplayVersion"="REG_SZ", "1.0.0" "EstimatedSize"="REG_DWORD", 2392 "HelpLink"="REG_SZ", "" "HelpTelephone"="REG_SZ", "" "InstallDate"="REG_SZ", "20160816" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\" "InstallSource"="REG_SZ", "C:\Users\{username}\AppData\Roaming\A POKEMONGO Company\PC Cleaner Pro 1.0.0\install\14A336F\" "Language"="REG_DWORD", 1033 "LocalPackage"="REG_SZ", "C:\Windows\Installer\33aad2.msi" "NoModify"="REG_DWORD", 1 "NoRemove"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "A POKEMONGO Company" "Readme"="REG_SZ", "" "Size"="REG_SZ", "" "SystemComponent"="REG_DWORD", 1 "URLInfoAbout"="REG_SZ", "" "URLUpdateInfo"="REG_SZ", "" "Version"="REG_DWORD", 16777216 "VersionMajor"="REG_DWORD", 1 "VersionMinor"="REG_DWORD", 0 "WindowsInstaller"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\A POKEMONGO Company\PC Cleaner Pro] "Path"="REG_SZ", "C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\" "Version"="REG_SZ", "1.0.0" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Caphyon\Advanced Installer\LZMA\{68A9A36C-796C-406E-BF55-3F10D14A336F}\1.0.0] "AI_ExePath"="REG_SZ", "C:\Users\{username}\Desktop\PCcleanerpro.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{68A9A36C-796C-406E-BF55-3F10D14A336F}] "AuthorizedCDFPrefix"="REG_SZ", "" "Comments"="REG_SZ", "This installer database contains the logic and data required to install PC Cleaner Pro." "Contact"="REG_SZ", "" "DisplayName"="REG_SZ", "PC Cleaner Pro" "DisplayVersion"="REG_SZ", "1.0.0" "EstimatedSize"="REG_DWORD", 2392 "HelpLink"="REG_SZ", "" "HelpTelephone"="REG_SZ", "" "InstallDate"="REG_SZ", "20160816" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\" "InstallSource"="REG_SZ", "C:\Users\{username}\AppData\Roaming\A POKEMONGO Company\PC Cleaner Pro 1.0.0\install\14A336F\" "Language"="REG_DWORD", 1033 "NoModify"="REG_DWORD", 1 "NoRemove"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "A POKEMONGO Company" "Readme"="REG_SZ", "" "Size"="REG_SZ", "" "SystemComponent"="REG_DWORD", 1 "URLInfoAbout"="REG_SZ", "" "URLUpdateInfo"="REG_SZ", "" "Version"="REG_DWORD", 16777216 "VersionMajor"="REG_DWORD", 1 "VersionMinor"="REG_DWORD", 0 "WindowsInstaller"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PC JUNKCLEANER] "EXPDATE"="REG_SZ", "2016-08-26" "FIRSTDATE"="REG_SZ", "2016-08-16" "FIRSTTIME"="REG_SZ", "w" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "PC JUNKCLEANER"="REG_SZ", "C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\PC JUNKCLEANER.exe" "POKEMONEGOGAMES"="REG_SZ", "C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\NewWindowActivation.exe" Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 8/16/2016 Scan Time: 8:36 AM Logfile: mbamPCCleanerPro.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.08.16.04 Rootkit Database: v2016.08.15.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 317953 Time Elapsed: 8 min, 56 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 1 Rogue.TechSupportScam, C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\PC JUNKCLEANER.exe, 3640, Delete-on-Reboot, [f9cbc08bc6d412247b3c42875ca8d927] Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 2 Rogue.TechSupportScam, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|PC JUNKCLEANER, C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\PC JUNKCLEANER.exe, Quarantined, [f9cbc08bc6d412247b3c42875ca8d927] Rogue.TechSupportScam, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|POKEMONEGOGAMES, C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\NewWindowActivation.exe, Quarantined, [cdf7f15a62380f278e23f0d97292738d] Registry Data: 0 (No malicious items detected) Folders: 2 Rogue.TechSupportScam, C:\Program Files (x86)\A POKEMONGO Company, Delete-on-Reboot, [d3f1cb80c2d82115baf19732c044847c], Rogue.TechSupportScam, C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro, Delete-on-Reboot, [d3f1cb80c2d82115baf19732c044847c], Files: 8 Rogue.TechSupportScam, C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\PC JUNKCLEANER.exe, Delete-on-Reboot, [f9cbc08bc6d412247b3c42875ca8d927], Rogue.TechSupportScam, C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\NewWindowActivation.exe, Quarantined, [cdf7f15a62380f278e23f0d97292738d], Rogue.TechSupportScam, C:\Users\{username}\Desktop\PCcleanerpro.exe, Quarantined, [4381ba91cad0cb6b76346069996bd52b], Rogue.TechSupportScam, C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\ClearBrowserHistory.dll, Delete-on-Reboot, [d3f1cb80c2d82115baf19732c044847c], Rogue.TechSupportScam, C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\ClearClipboard.dll, Delete-on-Reboot, [d3f1cb80c2d82115baf19732c044847c], Rogue.TechSupportScam, C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\ClearRecycleBin.dll, Delete-on-Reboot, [d3f1cb80c2d82115baf19732c044847c], Rogue.TechSupportScam, C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\RunClearHistory.dll, Delete-on-Reboot, [d3f1cb80c2d82115baf19732c044847c], Rogue.TechSupportScam, C:\Users\{username}\Documents\PcjunkCleaner.xml, Quarantined, [0db7df6ceab02d09357b339642c22fd1], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  12. What is Windows Games TSS? The Malwarebytes research team has determined that Windows Games TSS is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end. This particular one uses a continuously refershing window to block the user from the use of his system. How do I know if my computer is affected by Windows Games TSS? This is one of the warnings displayed during install: You may see this window that covers your whole screen after logging on: and these windows while trying to get out of the locked screen: How did Windows Games TSS get on my computer? Tech Support Scammers use different methods for distributing themselves. This particular one was installed by a trojan. How do I remove Windows Games TSS? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application. But due to the behaviour of the program you will have to reboot into Safe Mode with Networking first. Alternatively you can try to get out of the lockscreen by typing "closecloseclosecloseclose" in the main form and click on the "Activate" button. You will get a confirmation prompt. Close that prompt and you will be sent back to your desktop. After following either method continue with the instructions below. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Windows Games TSS? No, Malwarebytes' Anti-Malware removes Windows Games TSS completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this Tech Support Scam. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Tech Supprt Scam. Technical details for experts You may see these entries in FRST logs: HKCU\...\Run: [NewWindowActivation] => C:\Program Files\Microsoft Games\Windows Games\NewWindowActivation.exe [648512 2016-07-26] (Microsoft) C:\Program Files\Microsoft Games Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\Microsoft Games\Windows Games Adds the file NewWindowActivation.exe"="7/26/2016 9:49 PM, 648512 bytes, A Adds the file test1.bat"="7/19/2016 10:56 PM, 590 bytes, A Adds the folder C:\Program Files (x86)\Microsoft\Windows Games Adds the file myTP.exe"="7/29/2016 5:24 PM, 61952 bytes, A Adds the file Windows Games.exe"="7/28/2016 12:18 AM, 2310032 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Microsoft\Speech\Files\UserLexicons Adds the file SP_86C9F42BC988495188D431A2C246FFF5.dat"="8/9/2016 8:43 AM, 940 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows Games 1.0.0.1\install\A63CEE2 Adds the folder C:\Windows\Installer\{034F626D-06B1-40B7-81CA-2B926A63CEE2} Adds the file Windows10logo_1.exe"="8/9/2016 8:39 AM, 370070 bytes, RA Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\4C770621CB220AE418F93890344C0297] "AdvertiseFlags"="REG_DWORD", 388 "Assignment"="REG_DWORD", 1 "AuthorizedLUAApp"="REG_DWORD", 0 "Clients"="REG_MULTI_SZ, ": " "DeploymentFlags"="REG_DWORD", 3 "InstanceType"="REG_DWORD", 0 "Language"="REG_DWORD", 1033 "PackageCode"="REG_SZ", "460A7E668DC17764C96D01255D06F89F" "ProductIcon"="REG_SZ", "C:\Windows\Installer\{126077C4-22BC-4EA0-819F-830943C42079}\favicon.exe" "ProductName"="REG_SZ", "Windows Games" "Version"="REG_DWORD", 33554432 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\4C770621CB220AE418F93890344C0297\SourceList] "LastUsedSource"="REG_EXPAND_SZ, "n;1;C:\Users\{username}\AppData\Roaming\Microsoft Games\Windows Games 2.0.0.1\install\" "PackageName"="REG_SZ", "Windows Games.x64.msi" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\D626F4301B607B0418ACB229A636EC2E] "AdvertiseFlags"="REG_DWORD", 388 "Assignment"="REG_DWORD", 1 "AuthorizedLUAApp"="REG_DWORD", 0 "Clients"="REG_MULTI_SZ, ": " "DeploymentFlags"="REG_DWORD", 3 "InstanceType"="REG_DWORD", 0 "Language"="REG_DWORD", 1033 "PackageCode"="REG_SZ", "AD7BFD8BE497716428877EDA23DC3BB3" "ProductIcon"="REG_SZ", "C:\Windows\Installer\{034F626D-06B1-40B7-81CA-2B926A63CEE2}\Windows10logo_1.exe" "ProductName"="REG_SZ", "Windows Games" "Version"="REG_DWORD", 16777216 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{126077C4-22BC-4EA0-819F-830943C42079}] "AuthorizedCDFPrefix"="REG_SZ", "" "Comments"="REG_SZ", "This installer database contains the logic and data required to install Windows Games." "Contact"="REG_SZ", "" "DisplayName"="REG_SZ", "Windows Games" "DisplayVersion"="REG_SZ", "2.0.0.1" "EstimatedSize"="REG_DWORD", 618 "HelpLink"="REG_SZ", "" "HelpTelephone"="REG_SZ", "" "InstallDate"="REG_SZ", "20160809" "InstallLocation"="REG_SZ", "C:\Program Files\Microsoft Games\Windows Games\" "InstallSource"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Microsoft Games\Windows Games 2.0.0.1\install\" "Language"="REG_DWORD", 1033 "ModifyPath"="REG_EXPAND_SZ, "MsiExec.exe /X{126077C4-22BC-4EA0-819F-830943C42079}" "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Microsoft Games" "Readme"="REG_SZ", "" "Size"="REG_SZ", "" "SystemComponent"="REG_DWORD", 1 "UninstallString"="REG_EXPAND_SZ, "MsiExec.exe /X{126077C4-22BC-4EA0-819F-830943C42079}" "URLInfoAbout"="REG_SZ", "" "URLUpdateInfo"="REG_SZ", "" "Version"="REG_DWORD", 33554432 "VersionMajor"="REG_DWORD", 2 "VersionMinor"="REG_DWORD", 0 "WindowsInstaller"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{034F626D-06B1-40B7-81CA-2B926A63CEE2}] "AuthorizedCDFPrefix"="REG_SZ", "" "Comments"="REG_SZ", "This installer database contains the logic and data required to install Windows Games." "Contact"="REG_SZ", "" "DisplayName"="REG_SZ", "Windows Games" "DisplayVersion"="REG_SZ", "1.0.0.1" "EstimatedSize"="REG_DWORD", 2300 "HelpLink"="REG_SZ", "" "HelpTelephone"="REG_SZ", "" "InstallDate"="REG_SZ", "20160809" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\Microsoft\Windows Games\" "InstallSource"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Microsoft\Windows Games 1.0.0.1\install\A63CEE2\" "Language"="REG_DWORD", 1033 "NoModify"="REG_DWORD", 1 "NoRemove"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Microsoft" "Readme"="REG_SZ", "" "Size"="REG_SZ", "" "SystemComponent"="REG_DWORD", 1 "URLInfoAbout"="REG_SZ", "" "URLUpdateInfo"="REG_SZ", "" "Version"="REG_DWORD", 16777216 "VersionMajor"="REG_DWORD", 1 "VersionMinor"="REG_DWORD", 0 "WindowsInstaller"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Games] "Path"="REG_SZ", "C:\Program Files (x86)\Microsoft\Windows Games\" "Version"="REG_SZ", "1.0.0.1" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft Games\Windows Games] "Path"="REG_SZ", "C:\Program Files\Microsoft Games\Windows Games\" "Version"="REG_SZ", "2.0.0.1" [HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN] "NewWindowActivation"="C:\Program Files\Microsoft Games\Windows Games\NewWindowActivation.exe" Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 8/9/2016 Scan Time: 10:25 AM Logfile: mbamPublisher.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.08.09.04 Rootkit Database: v2016.05.27.01 License: Premium Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 317083 Time Elapsed: 8 min, 51 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 1 Rogue.TechSupportScam, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|NewWindowActivation, C:\Program Files\Microsoft Games\Windows Games\NewWindowActivation.exe, Quarantined, [6a9e5aefa1f99f97677423a52dd79d63] Registry Data: 0 (No malicious items detected) Folders: 1 Rogue.TechSupportScam, C:\Program Files\Microsoft Games\Windows Games, Quarantined, [6a9e5aefa1f99f97677423a52dd79d63], Files: 3 Rogue.TechSupportScam, C:\Users\{username}\Desktop\Publisher.exe, Quarantined, [6f995fea59412016914627a1eb1906fa], Rogue.TechSupportScam, C:\Program Files\Microsoft Games\Windows Games\test1.bat, Quarantined, [6a9e5aefa1f99f97677423a52dd79d63], Rogue.TechSupportScam, C:\Program Files\Microsoft Games\Windows Games\NewWindowActivation.exe, Quarantined, [6a9e5aefa1f99f97677423a52dd79d63], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.