Jump to content

Search the Community

Showing results for tags 'trojan.techsupportscam'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Announcements
    • Malwarebytes News
    • Beta Testing Program
  • Malware Removal Help
    • Windows Malware Removal Help & Support
    • Mac Malware Removal Help & Support
    • Mobile Malware Removal Help & Support
    • Malware Removal Self-Help Guides
  • Malwarebytes for Home Support
    • Malwarebytes for Windows Support Forum
    • Malwarebytes for Mac Support Forum
    • Malwarebytes for Android Support Forum
    • Malwarebytes for iOS Support
    • Malwarebytes Privacy
    • Malwarebytes Browser Guard
    • False Positives
    • Comments and Suggestions
  • Malwarebytes for Business Support
    • Malwarebytes Endpoint Protection
    • Malwarebytes Incident Response (includes Breach Remediation)
    • Malwarebytes Endpoint Security
    • Malwarebytes Business Products Comments and Suggestions
  • Malwarebytes Tools and Other Products
    • Malwarebytes AdwCleaner
    • Malwarebytes Junkware Removal Tool Support
    • Malwarebytes Anti-Rootkit BETA Support
    • Malwarebytes Techbench USB (Legacy)
    • Malwarebytes Secure Backup discontinued
    • Other Tools
    • Malwarebytes Tools Comments and Suggestions
  • General Computer Help and Security Updates
    • BSOD, Crashes, Kernel Debugging
    • General Windows PC Help
  • Research Center
    • Newest Rogue-Ransomware Threats
    • Newest Malware Threats
    • Newest Mobile Threats
    • Newest IP or URL Threats
    • Newest Mac Threats
    • Report Scam Phone Numbers
  • General
    • General Chat
    • Forums Announcements & Feedback

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Location


Interests

Found 13 results

  1. What is Office 1.00? The Malwarebytes research team has determined that Office 1.00 is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end. How do I know if my computer is affected by Office 1.00? You will see this screen as soon as the file is executed: You may see a short glimpse of this one before the screenlock and after you have stopped it: How did Office 1.00 get on my computer? Tech Support Scammers use different methods for distributing themselves. This particular one was offered as an installer for a cracked Office version. How do I remove Office 1.00? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application, but due to the nature of the infection this will require a few extra steps. You may have to use the systems power button to shut the system down, or if you have that option, switch user and then shut down to get the system to reboot as this program actively stops a normal shutdown. Then boot into Safe Mode with Networking. As an alternative: we have found that in most cases the screenlock stops when you push the F7 key. After returning to your desktop, continue with the instructions below. You can use the Taskmanager to End the MicrosoftOffice process: Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Office 1.00? No, Malwarebytes removes Office 1.00 completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Tech Support Scam. Technical details for experts You may see these entries in FRST logs: (Microsoft ) C:\Users\{username}\Desktop\microsoftoffice- blue Screen.exe () C:\Program Files (x86)\Microsoft Office\MicrosoftOffice.exe HKCU\...\Run: [SC.exe] => C:\Program Files (x86)\Microsoft Office\Microsoftoffice.exe [253952 2017-07-18] () C:\Program Files (x86)\Microsoft Office Microsoft Office 1.00 (HKLM-x32\...\Microsoft Office 1.00) (Version: 1.00 - Microsoft) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\Microsoft Office Adds the file MicrosoftOffice.exe"="7/18/2017 3:51 PM, 253952 bytes, A Adds the file Uninstall.exe"="9/19/2017 8:48 AM, 99895 bytes, A Adds the file Uninstall.ini"="9/19/2017 8:48 AM, 2781 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Office 1.00] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\Microsoft Office\Uninstall.exe" "DisplayName"="REG_SZ", "Microsoft Office 1.00" "DisplayVersion"="REG_SZ", "1.00" "EstimatedSize"="REG_DWORD", 346 "HelpLink"="REG_SZ", "mailto:support@microsoft.com" "InstallDate"="REG_SZ", "20170919" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\Microsoft Office\" "InstallSource"="REG_SZ", "C:\Users\{username}\Desktop\" "Language"="REG_DWORD", 1033 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Microsoft" "UninstallString"="REG_SZ", "C:\Program Files (x86)\Microsoft Office\Uninstall.exe" "URLInfoAbout"="REG_SZ", "http://www.Microsoft.com/" "VersionMajor"="REG_DWORD", 1 "VersionMinor"="REG_DWORD", 0 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "SC.exe"="REG_SZ", "C:\Program Files (x86)\Microsoft Office\Microsoftoffice.exe" Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 9/20/17 Scan Time: 3:04 PM Log File: 3e2aa053-9e04-11e7-8352-080027750297.json Administrator: Yes -Software Information- Version: 3.2.2.2018 Components Version: 1.0.188 Update Package Version: 1.0.2850 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 320367 Threats Detected: 7 Threats Quarantined: 7 Time Elapsed: 2 min, 3 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 2 Trojan.TechSupportScam, C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\MICROSOFTOFFICE.EXE, Quarantined, [77], [437097],1.0.2850 Ransom.TechSupportScam, C:\USERS\{username}\DESKTOP\MICROSOFTOFFICE- BLUE SCREEN.EXE, Quarantined, [648], [437068],1.0.2850 Module: 2 Trojan.TechSupportScam, C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\MICROSOFTOFFICE.EXE, Quarantined, [77], [437097],1.0.2850 Ransom.TechSupportScam, C:\USERS\{username}\DESKTOP\MICROSOFTOFFICE- BLUE SCREEN.EXE, Quarantined, [648], [437068],1.0.2850 Registry Key: 0 (No malicious items detected) Registry Value: 1 Trojan.TechSupportScam, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|SC.EXE, Delete-on-Reboot, [77], [437097],1.0.2850 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 2 Trojan.TechSupportScam, C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\MICROSOFTOFFICE.EXE, Delete-on-Reboot, [77], [437097],1.0.2850 Ransom.TechSupportScam, C:\USERS\{username}\DESKTOP\MICROSOFTOFFICE- BLUE SCREEN.EXE, Delete-on-Reboot, [648], [437068],1.0.2850 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  2. What is Pcobserver? The Malwarebytes research team has determined that Pcobserver is a fake registry cleaner. These so-called "registry cleaners" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems. More information can be found on our Malwarebytes Labs blog. How do I know if I am infected with Pcobserver? This is how the main screen of the registry cleaning application looks: You will find these icons in your taskbar and on your desktop: and this one in your Startup folder: Note that this one will download a Tech Support screenlocker given the chance. See reply to this post. And see these warnings during install: and these screens during "operations": You may see this entry in your list of installed programs: How did Pcobserver get on my computer? These so-called registry cleaners use different methods of getting installed. This particular one was bundled by other software. How do I remove Pcobserver? Our program Malwarebytes can detect and remove this potentially unwanted application. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Pcobserver? No, Malwarebytes removes Pcobserver completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this registry cleaner. As you can see below the full version of Malwarebytes would have protected you against the Pcobserver installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for experts You may see these entries in FRST logs: () C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\Pcobserver.exe Startup: C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WMPNewtworksSvcx.lnk [2017-04-05] ShortcutTarget: WMPNewtworksSvcx.lnk -> C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\background\WMPNewtworksSvcx.exe (Windows Media Player) C:\Users\{username}\AppData\Roaming\Pcobserver Pcobserver (HKLM-x32\...\{1BFA4EE2-69A7-457C-B697-D332D6A17422}) (Version: 1.0.0 - Pcobserver) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Roaming\Microsoft\Installer\{1BFA4EE2-69A7-457C-B697-D332D6A17422} Adds the file Pcobserver.exe"="4/6/2017 1:12 PM, 370070 bytes, RA Adds the file WRC9Setup2.exe"="4/6/2017 1:12 PM, 67646 bytes, RA In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup Adds the file WMPNewtworksSvcx.lnk"="4/6/2017 1:12 PM, 1285 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver Adds the file installdetails.txt"="4/6/2017 1:13 PM, 0 bytes, A Adds the file Interop.Scripting.dll"="7/21/2016 7:17 AM, 32768 bytes, A Adds the file Pcobserver.exe"="9/7/2016 5:01 AM, 615936 bytes, A Adds the file Pcobserver.exe.config"="9/7/2016 5:01 AM, 641 bytes, A Adds the file Pcobserver.pdb"="9/7/2016 5:01 AM, 226816 bytes, A Adds the file Pcobserver.vshost.exe"="9/7/2016 4:50 AM, 11608 bytes, A Adds the file Pcobserver.vshost.exe.config"="8/9/2016 8:32 PM, 642 bytes, A Adds the file Pcobserver.vshost.exe.manifest"="7/14/2016 5:37 PM, 2502 bytes, A Adds the file Pcobserver.xml"="9/7/2016 5:01 AM, 38330 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\background Adds the file Interop.IWshRuntimeLibrary.dll"="7/6/2016 4:04 PM, 49152 bytes, A Adds the file Interop.Scripting.dll"="7/11/2016 3:39 PM, 32768 bytes, A Adds the file PlatformInfo.dll"="7/10/2016 8:30 PM, 27136 bytes, A Adds the file WMPNewtworksSvcx.exe"="4/5/2017 10:41 AM, 244224 bytes, A Adds the file WMPNewtworksSvcx.exe.config"="4/5/2017 10:40 AM, 1616 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver 1.0.0\install In the existing folder C:\Users\{username}\Desktop Adds the file Pcobserver.lnk"="4/6/2017 1:12 PM, 2124 bytes, A In the existing folder C:\Windows\Installer Adds the file b0666.msi"="4/6/2017 1:12 PM, 1149440 bytes, A Adds the file SourceHash{1BFA4EE2-69A7-457C-B697-D332D6A17422}"="4/6/2017 1:12 PM, 20480 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\{CUSID}\Products\2EE4AFB17A96C7546B793D236D1A4722\InstallProperties] "AuthorizedCDFPrefix"="REG_SZ"", "" "Comments"="REG_SZ"", "This installer database contains the logic and data required to install Pcobserver." "Contact"="REG_SZ"", "" "DisplayName"="REG_SZ"", "Pcobserver" "DisplayVersion"="REG_SZ"", "1.0.0" "EstimatedSize"="REG_DWORD"", 1266 "HelpLink"="REG_SZ"", "" "HelpTelephone"="REG_SZ"", "" "InstallDate"="REG_SZ"", "20170406" "InstallLocation"="REG_SZ"", "C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\" "InstallSource"="REG_SZ"", "C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver 1.0.0\install\" "Language"="REG_DWORD"", 1033 "LocalPackage"="REG_SZ"", "C:\Windows\Installer\b0666.msi" "ModifyPath"="REG_EXPAND_SZ, "MsiExec.exe /I{1BFA4EE2-69A7-457C-B697-D332D6A17422}" "Publisher"="REG_SZ"", "Pcobserver" "Readme"="REG_SZ"", "" "Size"="REG_SZ"", "" "UninstallString"="REG_EXPAND_SZ, "MsiExec.exe /I{1BFA4EE2-69A7-457C-B697-D332D6A17422}" "URLInfoAbout"="REG_SZ"", "" "URLUpdateInfo"="REG_SZ"", "" "Version"="REG_DWORD"", 16777216 "VersionMajor"="REG_DWORD"", 1 "VersionMinor"="REG_DWORD"", 0 "WindowsInstaller"="REG_DWORD"", 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1BFA4EE2-69A7-457C-B697-D332D6A17422}] "AuthorizedCDFPrefix"="REG_SZ"", "" "Comments"="REG_SZ"", "This installer database contains the logic and data required to install Pcobserver." "Contact"="REG_SZ"", "" "DisplayName"="REG_SZ"", "Pcobserver" "DisplayVersion"="REG_SZ"", "1.0.0" "EstimatedSize"="REG_DWORD"", 1266 "HelpLink"="REG_SZ"", "" "HelpTelephone"="REG_SZ"", "" "InstallDate"="REG_SZ"", "20170406" "InstallLocation"="REG_SZ"", "C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\" "InstallSource"="REG_SZ"", "C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver 1.0.0\install\" "Language"="REG_DWORD"", 1033 "ModifyPath"="REG_EXPAND_SZ, "MsiExec.exe /I{1BFA4EE2-69A7-457C-B697-D332D6A17422}" "Publisher"="REG_SZ"", "Pcobserver" "Readme"="REG_SZ"", "" "Size"="REG_SZ"", "" "UninstallString"="REG_EXPAND_SZ, "MsiExec.exe /I{1BFA4EE2-69A7-457C-B697-D332D6A17422}" "URLInfoAbout"="REG_SZ"", "" "URLUpdateInfo"="REG_SZ"", "" "Version"="REG_DWORD"", 16777216 "VersionMajor"="REG_DWORD"", 1 "VersionMinor"="REG_DWORD"", 0 "WindowsInstaller"="REG_DWORD"", 1 [HKEY_CURRENT_USER\Software\DIS\Pcobserver] "Path"="REG_SZ"", "C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\" "Version"="REG_SZ"", "1.0.0" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/7/17 Scan Time: 1:22 PM Logfile: mbamPcobserver.txt Administrator: Yes -Software Information- Version: 3.0.6.1469 Components Version: 1.0.96 Update Package Version: 1.0.1680 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 325647 Time Elapsed: 1 min, 16 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 1 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\Pcobserver.exe, Quarantined, [5687], [387647],1.0.1680 Module: 2 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\Interop.Scripting.dll, Quarantined, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\Pcobserver.exe, Quarantined, [5687], [387647],1.0.1680 Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 5 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver 1.0.0\install, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\background, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver 1.0.0, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\USERS\{username}\APPDATA\ROAMING\PCOBSERVER, Delete-on-Reboot, [5687], [387647],1.0.1680 File: 17 PUP.Optional.Pcobserver, C:\USERS\{username}\APPDATA\ROAMING\PCOBSERVER\PCOBSERVER\INSTALLDETAILS.TXT, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\background\Interop.IWshRuntimeLibrary.dll, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\background\Interop.Scripting.dll, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\background\PlatformInfo.dll, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\background\WMPNewtworksSvcx.exe, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\background\WMPNewtworksSvcx.exe.config, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\Interop.Scripting.dll, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\Pcobserver.exe, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\Pcobserver.exe.config, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\Pcobserver.pdb, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\Pcobserver.vshost.exe, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\Pcobserver.vshost.exe.config, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\Pcobserver.vshost.exe.manifest, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\Users\{username}\AppData\Roaming\Pcobserver\Pcobserver\Pcobserver.xml, Delete-on-Reboot, [5687], [387647],1.0.1680 PUP.Optional.Pcobserver, C:\USERS\{username}\DESKTOP\PCOBSERVER.LNK, Delete-on-Reboot, [5687], [387649],1.0.1680 Trojan.Dropper, C:\USERS\{username}\DESKTOP\WRC9SETUP.EXE, Delete-on-Reboot, [17], [387646],1.0.1680 PUP.Optional.Pcobserver, C:\USERS\{username}\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\WMPNEWTWORKSSVCX.LNK, Delete-on-Reboot, [5687], [387650],1.0.1680 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  3. What is Advanis? The Malwarebytes research team has determined that Advanis is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end. How do I know if my computer is affected by Advanis? You will see this screen as soon as the install has completed and when you reboot: and you may see this entry in your list of installed software: How did Advanis get on my computer? Tech Support Scammers use different methods for distributing themselves. This particular one was downloaded by a trojan. How do I remove Advanis? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application, but due to the nature of the infection this will require a few extra steps. To minimize the screenlocker use the backspace key on your keyboard. The minimized screen will be titled "Market Tools". Alternatively you can switch user accounts on your computer. Once you have able to use your computer normally, continue with the instructions below. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Advanis? No, Malwarebytes removes Advanis completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Tech Support Scam. and we would have blocked the download of the installer: Technical details for experts You may see these entries in FRST logs: () C:\Windows\Advanis\MT\MT.exe HKCU\...\Run: [MT] => C:\Windows\Advanis\MT\MT.exe [1155072 2017-03-14] () C:\Windows\Advanis MT (HKLM-x32\...\MT) (Version: 4.3.2.6 - Advanis) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Windows\Advanis\MT Adds the file MT.exe"="3/14/2017 10:55 AM, 1155072 bytes, A Adds the file Uninstall.exe"="3/15/2017 9:00 AM, 468005 bytes, A Adds the file Uninstall.ini"="3/15/2017 9:00 AM, 2295 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MT] "DisplayIcon"="REG_SZ", "C:\Windows\Advanis\MT\Uninstall.exe" "DisplayName"="REG_SZ", "MT" "DisplayVersion"="REG_SZ", "4.3.2.6" "EstimatedSize"="REG_DWORD", 1585 "HelpLink"="REG_SZ", "support@advanis.net" "InstallDate"="REG_SZ", "20170315" "InstallLocation"="REG_SZ", "C:\Windows\Advanis\MT\" "InstallSource"="REG_SZ", "C:\Users\{username}\Desktop\" "Language"="REG_DWORD", 1033 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Advanis" "UninstallString"="REG_SZ", "C:\Windows\Advanis\MT\Uninstall.exe" "URLInfoAbout"="REG_SZ", "www.Advanis.net" "VersionMajor"="REG_DWORD", 4 "VersionMinor"="REG_DWORD", 3 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "MT"="REG_SZ", "C:\Windows\Advanis\MT\MT.exe" Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/15/17 Scan Time: 9:10 AM Logfile: mbamAdvanis.txt Administrator: Yes -Software Information- Version: 3.0.5.1299 Components Version: 1.0.43 Update Package Version: 1.0.1507 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 364672 Time Elapsed: 1 min, 12 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 1 Trojan.TechSupportScam, C:\WINDOWS\ADVANIS\MT\MT.EXE, Quarantined, [125], [380134],1.0.1507 Module: 1 Trojan.TechSupportScam, C:\WINDOWS\ADVANIS\MT\MT.EXE, Quarantined, [125], [380134],1.0.1507 Registry Key: 0 (No malicious items detected) Registry Value: 1 Trojan.TechSupportScam, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|MT, Delete-on-Reboot, [125], [380134],1.0.1507 Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 2 Trojan.TechSupportScam, C:\WINDOWS\ADVANIS\MT\MT.EXE, Delete-on-Reboot, [125], [380134],1.0.1507 Trojan.TechSupportScam, C:\USERS\{username}\DESKTOP\SETUP (14).EXE, Delete-on-Reboot, [125], [380135],1.0.1507 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  4. What is TSS MoboPlay? The Malwarebytes research team has determined that TSS MoboPlay is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end. How do I know if my computer is affected by TSS MoboPlay? You will see this screen as soon as the file is run: and this prompt if you feed it the wrong activation key: How did TSS MoboPlay get on my computer? Tech Support Scammers use different methods for distributing themselves. This particular one was offered as a free app management program. How do I remove TSS MoboPlay? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application, but due to the nature of the infection this will require a few extra steps. Method 1: You can reboot the computer and you will have normal access again. Method 2: Type in the activation key 8716098676542789 Click Activate Now. Click OK in the resulting prompt. After either of these methods continue with the instructions below. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of TSS MoboPlay? No, Malwarebytes' Anti-Malware removes TSS MoboPlay completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Tech Support Scam. Technical details for experts Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- In the existing folder C:\Users\{username}\Desktop Adds the file MoboPlay_freewarefiles.exe"="1/3/2017 4:35 PM, 546304 bytes, A Note that the file could be in a different location like your Downloads folder or a Temp folder. Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/5/17 Scan Time: 2:33 PM Logfile: mbamTSSMoboPlay.txt Administrator: Yes -Software Information- Version: 3.0.5.1299 Components Version: 1.0.43 Update Package Version: 1.0.933 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 354021 Time Elapsed: 8 min, 33 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 Trojan.TechSupportScam, C:\USERS\{username}\DESKTOP\MOBOPLAY_FREEWAREFILES.EXE, Delete-on-Reboot, [124], [357574],1.0.933 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  5. What is TSS HDWebcam? The Malwarebytes research team has determined that TSS HDWebcam is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end. How do I know if my computer is affected by TSS HDWebcam? You will see this screen as soon as one of the Scheduled Tasks is run (including at reboot): and you may see this warning during install: and these Scheduled Tasks: How did TSS HDWebcam get on my computer? Tech Support Scammers use different methods for distributing themselves. This particular one was offered as a windows 10 keygen. How do I remove TSS HDWebcam? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application, but due to the nature of the infection this will require a few extra steps. This screenlocker also disables Taskmanager so our best option is to reboot into Safe Mode with Networking. Then continue with the instructions below. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Note that in the locked screen there are two "product keys" that render result. Entering M8856-TFH05-QV789-23JJD-001RE will result in this prompt: and entering KLG89-VV129-LP9S3-XV84E-LL02S will produce this one: clicking OK on either of these prompts will return you to an empty desktop with no taskbar, so unless you had a program open that could be helpful, these are of no use to get rid of the infection. Is there anything else I need to do to get rid of TSS HDWebcam? No, Malwarebytes' Anti-Malware removes TSS HDWebcam completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Tech Supprt Scam. Technical details for experts You may see these entries in FRST logs: HKLM-x32\...\Run: [Windows Pro] => C:\Program Files (x86)\WindowsActivationPro10.exe HKCU\...\Run: [Windows Pro] => C:\Program Files (x86)\WindowsActivationPro10.exe HKCU\...\Policies\system: [DisableTaskMgr] 1 C:\Windows\Tasks\WindowsActivationPro10.job C:\Windows\System32\Tasks\WindowsActivationPro10 C:\Users\Public\Desktop\HDwebcam.lnk C:\Program Files (x86)\HDwebcam C:\Windows\Tasks\WindowsActivationPro.job C:\Windows\System32\Tasks\WindowsActivationPro C:\Users\{username}\AppData\Roaming\HDwebcam () C:\Program Files (x86)\WindowsActivationPro10.exe Task: {394D03CD-86CB-4E27-A05E-1D9FD72CF9AB} - System32\Tasks\WindowsActivationPro10 => C:\Program Files (x86)\WindowsActivationPro10.exe Task: {F6F62841-A395-4A76-A4D4-08C50EAF642D} - System32\Tasks\WindowsActivationPro => C:\Program Files (x86)\WindowsActivationPro10.exe Task: C:\Windows\Tasks\WindowsActivationPro.job => C:\Program Files (x86)\WindowsActivationPro10.exe Task: C:\Windows\Tasks\WindowsActivationPro10.job => C:\Program Files (x86)\WindowsActivationPro10.exe Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- In the existing folder C:\Users\{username}\Desktop Adds the file HDwebcam.lnk In the existing folder C:\Program Files (x86) Adds the file WindowsActivationPro10.exe Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableTaskMgr"="REG_DWORD", 1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Windows Pro"="REG_SZ", "C:\Program Files (x86)\WindowsActivationPro10.exe" Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/28/16 Scan Time: 9:09 AM Logfile: mbamHDWebcam.txt Administrator: Yes -Software Information- Version: 3.0.4.1269 Components Version: 1.0.39 Update Package Version: 1.0.874 License: Free -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 352920 Time Elapsed: 7 min, 3 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 1 Trojan.TechSupportScam, C:\PROGRAM FILES (X86)\WINDOWSACTIVATIONPRO10.EXE, Quarantined, [124], [356039],1.0.874 Module: 1 Trojan.TechSupportScam, C:\PROGRAM FILES (X86)\WINDOWSACTIVATIONPRO10.EXE, Quarantined, [124], [356039],1.0.874 Registry Key: 0 (No malicious items detected) Registry Value: 5 Trojan.TechSupportScam, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Windows Pro, Delete-on-Reboot, [124], [356039],1.0.874 Trojan.TechSupportScam, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Windows Pro, Delete-on-Reboot, [124], [356039],1.0.874 PUM.Optional.DisableTaskMgr, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|DISABLETASKMGR, Replace-on-Reboot, [19162], [293320],1.0.874 PUM.Optional.DisableTaskMgr, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|DISABLETASKMGR, Replace-on-Reboot, [19162], [293321],1.0.874 PUM.Optional.DisableTaskMgr, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|DISABLETASKMGR, Replace-on-Reboot, [19162], [293321],1.0.874 Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 2 Trojan.TechSupportScam, C:\PROGRAM FILES (X86)\WINDOWSACTIVATIONPRO10.EXE, Delete-on-Reboot, [124], [356039],1.0.874 Trojan.TechSupportScam, C:\USERS\{username}\DESKTOP\HDWEBCAM.EXE, Delete-on-Reboot, [124], [355535],1.0.874 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  6. What is TSS WebCam 1.0.0.4? The Malwarebytes research team has determined that TSS WebCam 1.0.0.4 is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end. How do I know if my computer is affected by TSS WebCam 1.0.0.4? You will see this screen as soon as the computer reboots or any time the Scheduled Task is triggered (every 5 minutes): and this added piece if you enter a different product key than the hardcoded one (THTY4-89LK6-RTI23-XZTOP-05ERY): You may see this icon on your desktop: this entry in your list of installed programs and features: and this Scheduled Task: How did TSS WebCam 1.0.0.4 get on my computer? Tech Support Scammers use different methods for distributing themselves. This particular one was offered a flashplayer for webcam footage. How do I remove TSS WebCam 1.0.0.4? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application, but due to the nature of the infection this will require a few extra steps. Note that the product code for the screenlock is THTY4-89LK6-RTI23-XZTOP-05ERY. Once you succeed, you will see this prompt. Click OK to return to your desktop. Alternatively you can use the key combination Ctrl-Alt-Del to invoke Taskmanager. End the process called AdobeFlashPlayer.exe. This should also take you back to your desktop. Either way the Scheduled Task will still be active, so you may have to End the process called AdobeFlashPlayer.exe again. When you have back control, continue with the instructions below. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of TSS WebCam 1.0.0.4? No, Malwarebytes' Anti-Malware removes TSS WebCam 1.0.0.4 completely. The shortcut called WebCam on the desktop can be deleted if it belonged to the Tech Support Scam. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Tech Supprt Scam. and we block some of the traffic they start: Technical details for experts You may see these entries in FRST logs: HKCU\...\Run: [Adobe Flash Player] => C:\Windows\AdobeFlashPlayer.exe [90112 2016-11-09] () C:\Windows\System32\Tasks\adobeflash C:\Users\{username}\Desktop\WebCam.lnk WebCam 1.0.0.4 (HKLM-x32\...\WebCam 1.0.0.4) (Version: - ) Task: {F9BA5663-8260-4F4A-8F55-D07243DFF4FB} - System32\Tasks\adobeflash => C:\Windows\AdobeFlashPlayer.exe [2016-11-09] () Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\WebCam\WebCam Adds the file track6.bat"="11/9/2016 10:02 PM, 178 bytes, A Adds the file Uninstall.exe"="12/21/2016 9:23 AM, 254004 bytes, A Adds the file Uninstall.ini"="12/21/2016 9:23 AM, 1647 bytes, A Adds the file WebCam.exe"="11/9/2016 7:42 PM, 106496 bytes, A In the existing folder C:\Users\{username}\Desktop Adds the file WebCam.lnk"="12/21/2016 9:23 AM, 1980 bytes, A In the existing folder C:\Windows Adds the file AdobeFlashPlayer.exe"="11/9/2016 9:26 AM, 90112 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file adobeflash"="12/21/2016 9:23 AM, 3468 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WebCam 1.0.0.4] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\WebCam\WebCam\Uninstall.exe" "DisplayName"="REG_SZ", "WebCam 1.0.0.4" "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "UninstallString"="REG_SZ", "C:\Program Files (x86)\WebCam\WebCam\Uninstall.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\WebCam\Webcam] "Path"="REG_SZ", "" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Adobe Flash Player"="REG_SZ", "C:\Windows\AdobeFlashPlayer.exe" Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/22/16 Scan Time: 4:10 PM Logfile: mbamWebcam1004.txt Administrator: Yes -Software Information- Version: 3.0.4.1269 Components Version: 1.0.39 Update Package Version: 1.0.828 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 352517 Time Elapsed: 8 min, 36 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 2 Trojan.LockScreen, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{3B07F73E-80CE-4240-9056-6913492AAD95}, Delete-on-Reboot, [162], [355211],1.0.828 Trojan.LockScreen, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\adobeflash, Delete-on-Reboot, [162], [355216],1.0.828 Registry Value: 2 Trojan.TechSupportScam, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Adobe Flash Player, Delete-on-Reboot, [124], [355099],1.0.828 Trojan.LockScreen, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{3B07F73E-80CE-4240-9056-6913492AAD95}|PATH, Delete-on-Reboot, [162], [355211],1.0.828 Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 4 Trojan.TechSupportScam, C:\WINDOWS\ADOBEFLASHPLAYER.EXE, Delete-on-Reboot, [124], [355099],1.0.828 Trojan.LockScreen, C:\USERS\{username}\DESKTOP\WEBCAMSETUP.EXE, Delete-on-Reboot, [162], [355098],1.0.828 Trojan.LockScreen, C:\WINDOWS\SYSTEM32\TASKS\ADOBEFLASH, Delete-on-Reboot, [162], [355219],1.0.828 Trojan.LockScreen, C:\PROGRAM FILES (X86)\WEBCAM\WEBCAM\TRACK6.BAT, Delete-on-Reboot, [162], [355097],1.0.828 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  7. What is TSS Microsoft Help Desk? The Malwarebytes research team has determined that TSS Microsoft Help Desk is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end. How do I know if my computer is affected by TSS Microsoft Help Desk? You will see this screen as soon as the executable is run: and this screen will appear a little later flashing the "High Risk !" text: How did TSS Microsoft Help Desk get on my computer? Tech Support Scammers use different methods for distributing themselves. This particular one was bundled with other software. How do I remove TSS Microsoft Help Desk? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application, but due to the nature of the infection this will require a few extra steps. When you are confronted with the lockscreen, click on the part that says "Microsoft Help Desk". The blue screen called "Shell" will minimize and Internet Explorer will open a window to fastsuppport.com. Minimize that window and you should have access to your desktop. At certain intervals the lockscreen will maximize again. Repeat the procedure above until you were able to carry out the instructions below. Please download Malwarebytes Anti-Malware to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of TSS Microsoft Help Desk? No, Malwarebytes' Anti-Malware removes TSS Microsoft Help Desk completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Tech Supprt Scam. Technical details for experts You may see these entries in FRST logs: () C:\Users\{username}\Downloads\bsodc23x1.exe HKCU\...\Winlogon: [Shell] C:\Users\{username}\Downloads\bsodc23x1.exe [49664 2016-12-09] () <==== ATTENTION Alterations made by the installer: Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell"="REG_SZ", "C:\Users\{username}\Downloads\bsodc23x1.exe" Malwarebytes Anti-Malware log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/9/16 Scan Time: 9:01 AM Logfile: mbamHelpdesk.txt Administrator: Yes -Software Information- Version: 3.0.4.1269 Components Version: 1.0.39 Update Package Version: 1.0.670 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: METALLICA-PC\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 350840 Time Elapsed: 8 min, 13 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 1 Trojan.TechSupportScam, C:\USERS\METALLICA\DOWNLOADS\BSODC23X1.EXE, Quarantined, [125], [350133],1.0.670 Module: 1 Trojan.TechSupportScam, C:\USERS\METALLICA\DOWNLOADS\BSODC23X1.EXE, Quarantined, [125], [350133],1.0.670 Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 Trojan.TechSupportScam, C:\USERS\METALLICA\DOWNLOADS\BSODC23X1.EXE, Delete-on-Reboot, [125], [350133],1.0.670 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  8. What is TSS VinCE? The Malwarebytes research team has determined that TSS VinCE is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end. How do I know if my computer is affected by TSS VinCE? You will see this screen as soon as the computer boots: and you may see this entry in your list of installed software: How did TSS VinCE get on my computer? Tech Support Scammers use different methods for distributing themselves. This particular one was offered as a keygen. How do I remove TSS VinCE? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application, but due to the nature of the infection this will require booting into Safe mode with networking. You may have to use the systems power button or have to switch user to get it to reboot as this program actively stops a normal shutdown. We have found that in some cases the screenlock stops when the user click the F6 key. Note that there are several variants of this one out there. Some are using different filenames and phone numbers, but the blue screen is the same (apart from the phone number) and they can all be removed using this method. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of TSS VinCE? No, Malwarebytes' Anti-Malware removes TSS VinCE completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Tech Supprt Scam. Technical details for experts More information about this Tech Support Scam screenlocker can be found on our blog. You may see these entries in FRST logs: HKLM\...\Run: [Vince] => C:\Program Files (x86)\VinCE\SBSCP.exe [30208 2016-09-27] () C:\Program Files (x86)\VinCE VinCE 1.5 (HKLM-x32\...\VinCE 1.5) (Version: 1.5 - VinCE) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\VinCE Adds the file SBSCP.exe"="9/27/2016 9:02 PM, 30208 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Vince"="REG_SZ", "C:\Program Files (x86)\VinCE\SBSCP.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\VinCE 1.5] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\VinCE\Uninstall.exe" "DisplayName"="REG_SZ", "VinCE 1.5" "DisplayVersion"="REG_SZ", "1.5" "EstimatedSize"="REG_DWORD", 30 "HelpLink"="REG_SZ", "mailto:support@company.com" "InstallDate"="REG_SZ", "20161208" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\VinCE\" "InstallSource"="REG_SZ", "C:\Users\{username}\Desktop\" "Language"="REG_DWORD", 1033 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "VinCE" "UninstallString"="REG_SZ", "C:\Program Files (x86)\VinCE\Uninstall.exe" "URLInfoAbout"="REG_SZ", "http://www.company.com/" "VersionMajor"="REG_DWORD", 1 "VersionMinor"="REG_DWORD", 5 Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 12/8/2016 Scan Time: 9:00 AM Logfile: mbamVince.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.12.08.06 Rootkit Database: v2016.11.20.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 304645 Time Elapsed: 8 min, 37 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 1 Trojan.TechSupportScam, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Vince, C:\Program Files (x86)\VinCE\SBSCP.exe, Quarantined, [40a632b2c0da7bbbb20d7d30a15f46ba] Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 2 Trojan.TechSupportScam, C:\Program Files (x86)\VinCE\SBSCP.exe, Quarantined, [40a632b2c0da7bbbb20d7d30a15f46ba], Trojan.TechSupportScam, C:\Users\{username}\Desktop\sys8.exe, Quarantined, [a0465490c6d494a249b4f4b935cb3cc4], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  9. What is Microsoft Security Essentials TSS? The Malwarebytes research team has determined that Microsoft Security Essentials TSS is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end. How do I know if my computer is affected by Microsoft Security Essentials TSS? You will see this screen as soon as the executable is run: and this prompt: How did Microsoft Security Essentials TSS get on my computer? Tech Support Scammers use different methods for distributing themselves. This particular one was installed as part of a bundle. How do I remove Microsoft Security Essentials TSS? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application, but due to the nature of the infection this will require a few extra steps. When confronted with the lockscreen shown above, click on the "Remote Support" button in the fake BSOD screen. This will open an Internet Explorer window inviting you to use remote assistance. Minimize this window and you will have access to your desktop. You can use taskmanager to use "End Process" for "bsodm.exe" or repeat the procedure above a few times as the blue screen will maximize every now and then. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Microsoft Security Essentials TSS? No, Malwarebytes' Anti-Malware removes Microsoft Security Essentials TSS completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Tech Supprt Scam. Technical details for experts Note: the location of the executable may be different from case to case. You may see these entries in FRST logs: () C:\Users\{username}\Desktop\bsodm.exe (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe HKCU\...\Winlogon: [Shell] C:\Users\{username}\Desktop\bsodm.exe [903168 2016-11-17] () <==== ATTENTION HKCU-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Winlogon: [Shell] C:\Users\{username}\Desktop\bsodm.exe [903168 2016-11-17] () <==== ATTENTION Alterations made by the installer: Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell"="REG_SZ", "C:\Users\{username}\Desktop\bsodm.exe" Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 11/17/2016 Scan Time: 11:53 AM Logfile: mbamBSODM.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.11.17.06 Rootkit Database: v2016.10.31.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 301305 Time Elapsed: 9 min, 23 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 1 Trojan.TechSupportScam, C:\Users\{username}\Desktop\bsodm.exe, 3728, Delete-on-Reboot, [5703843db5e552e44f259e37e91aba46] Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 1 Trojan.TechSupportScam, C:\Users\{username}\Desktop\bsodm.exe, Delete-on-Reboot, [5703843db5e552e44f259e37e91aba46], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  10. What is AG Music Player? The Malwarebytes research team has determined that AG Music Player is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end. How do I know if my computer is affected by AG Music Player? You will see this screen as soon as the executable is run: and this browser window to a site that has been removed: After the reboot you will be confronted with these screens: How did AG Music Player get on my computer? Tech Support Scammers use different methods for distributing themselves. This particular one was offered as an installer for a music player. How do I remove AG Music Player? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application, but due to the nature of the infection this will require a few extra steps. We will describe two possible methods of removal. The easiest one if you have more than one user-account is to: Method 1 Use the key combination Ctrl-Alt-Del and from the resulting menu choose "Switch User". Log into another account that is not affected and delete the folder "C:\Program Files (x86)\AG Music Player". You will need Adminstrator rights. Reboot the computer despite the still active user. Of course you can use any other means to remove named folder that you are comfortable with, like "Safe Mode with Command prompt" or bootable media. In "Safe Mode with Networking the lockscreen will still be active. Method 2 When confronted with the lockscreen shown above, use the key combination Ctrl-Alt-Del Use the password "6257DCBBF787DFE4" in the "Windows Activation Error!" prompt. You may have to try this a few times. If the password has been accepted the prompt will change and look like this: the textfield is no longer accessible. Now use the key combination Ctrl-Alt-Del. From the menu choose "Task Manager". In Taskmanager select the process called "R.exe" with the description "R.exe". Click on "End Process" to stop the screenlocker. Repeat that procedure for the process "fatalerror.exe" with the description "Microsoft .NET Framework". Then in Windows Task Manager click File > New Task (Run...) and type "explorer" in the prompt. Click OK to run explorer. Now you should see your desktop, but the Tech Support Scammers prompt will be back. Use the password "6257dcbbf787dfe4" in the "Windows Activation Error!" prompt. You may have to try this a few times. If the password has been accepted the prompt will change again. Now use the key combination Ctrl-Alt-Del. From the menu choose "Task Manager". Again you will have to end the process "fatalerror.exe" with the description "Microsoft .NET Framework". After using one of the two methods above continue with the instruction below. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of AG Music Player? No, Malwarebytes' Anti-Malware removes AG Music Player completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Tech Supprt Scam. Technical details for experts You may see these entries in FRST logs: HKLM-x32\...\Run: [L] => C:\Program Files (x86)\AG Music Player\fatalerror.exe [820885 2016-09-19] (Microsoft .NET Framework) HKLM-x32\...\Winlogon: [Shell] C:\Program Files (x86)\AG Music Player\fatalerror.exe,C:\Program Files (x86)\AG Music Player\R.exe [180224 ] () <=== ATTENTION HKCU\...\Run: [L] => C:\Program Files (x86)\AG Music Player\fatalerror.exe [820885 2016-09-19] (Microsoft .NET Framework) HKCU\...\Winlogon: [Shell] C:\Program Files (x86)\AG Music Player\R.exe [180224 2016-09-19] () <==== ATTENTION C:\Program Files (x86)\AG Music Player Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\AG Music Player Adds the file ClearLock.ini"="9/19/2016 9:04 PM, 40 bytes, A Adds the file fatalerror.exe"="9/19/2016 9:04 PM, 820885 bytes, A Adds the file R.exe"="9/19/2016 9:17 PM, 180224 bytes, A Adds the file sr60.bat"="9/19/2016 9:21 PM, 123 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "L"="REG_SZ", "C:\Program Files (x86)\AG Music Player\fatalerror.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell" = REG_SZ, "C:\Program Files (x86)\AG Music Player\fatalerror.exe,C:\Program Files (x86)\AG Music Player\R.exe" [HKEY_CURRENT_USER\Software\AG Music Player\AG Music Player] "Path"="REG_SZ", "" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer] "CleanShutdown" = REG_DWORD, 1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "L"="REG_SZ", "C:\Program Files (x86)\AG Music Player\fatalerror.exe" [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell"="REG_SZ", "C:\Program Files (x86)\AG Music Player\fatalerror.exe,C:\Program Files (x86)\AG Music Player\R.exe" Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 11/15/2016 Scan Time: 1:01 PM Logfile: mbamAGMusicPlayer.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.11.15.07 Rootkit Database: v2016.10.31.01 License: Premium Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 300660 Time Elapsed: 9 min, 18 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 3 Trojan.LockScreen, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|L, C:\Program Files (x86)\AG Music Player\fatalerror.exe, Quarantined, [9bf8d8e85b3f3df95958e6edd231ac54] Trojan.LockScreen, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|L, C:\Program Files (x86)\AG Music Player\fatalerror.exe, Quarantined, [9bf8d8e85b3f3df95958e6edd231ac54] Trojan.Agent, HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|Shell, C:\Program Files (x86)\AG Music Player\fatalerror.exe,C:\Program Files (x86)\AG Music Player\R.exe, Quarantined, [3c57e1dfa5f575c136037cdc5ea435cb] Registry Data: 1 Hijack.Shell, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|Shell, C:\Program Files (x86)\AG Music Player\fatalerror.exe,C:\Program Files (x86)\AG Music Player\R.exe, Good: (explorer.exe), Bad: (C:\Program Files (x86)\AG Music Player\fatalerror.exe,C:\Program Files (x86)\AG Music Player\R.exe),Replaced,[454e2d93f8a28da9b8b83b19798a867a] Folders: 1 Trojan.TechSupportScam, C:\Program Files (x86)\AG Music Player, Quarantined, [1d76e4dc56440f272b871bb8dd26847c], Files: 5 Trojan.LockScreen, C:\Program Files (x86)\AG Music Player\fatalerror.exe, Quarantined, [9bf8d8e85b3f3df95958e6edd231ac54], Trojan.TechSupportScam, C:\Users\{username}\Desktop\AGMuysicPlayer.exe, Quarantined, [f79c0eb2574336002f80f8db49bae61a], Trojan.TechSupportScam, C:\Program Files (x86)\AG Music Player\R.exe, Quarantined, [f49f9b259efcab8b6e429340d82b59a7], Trojan.TechSupportScam, C:\Program Files (x86)\AG Music Player\ClearLock.ini, Quarantined, [1d76e4dc56440f272b871bb8dd26847c], Trojan.TechSupportScam, C:\Program Files (x86)\AG Music Player\sr60.bat, Quarantined, [1d76e4dc56440f272b871bb8dd26847c], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  11. What is Divyesh? The Malwarebytes research team has determined that Divyesh is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end. How do I know if my computer is affected by Divyesh? This is the main screen of the Tech Support Scam: Note that it also shows this on systems that are not using UEFI. and you may see this in your list of installed programs and features: How did Divyesh get on my computer? Tech Support Scammers use different methods for distributing themselves. This particular one was installed by a trojan. How do I remove Divyesh? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application, but due to the nature of the infection this will require booting into Safe mode with networking. Note that there are several variants of this one out there. Some are using different filenames and phone numbers, but the blue screen is the same (apart from the phone number) and they can all be removed using this method. Once in safe mode you can continue with the instructions below. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Divyesh? No, Malwarebytes' Anti-Malware removes Divyesh completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Tech Supprt Scam. Technical details for experts You may see these entries in FRST logs: HKCU\...\Run: [Divyesh] => C:\Windows\Divyesh\Divyesh\Divyesh.exe C:\Windows\Divyesh Divyesh (HKLM-x32\...\Divyesh) (Version: 10.1.5.10 - Divyesh) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Windows\Divyesh\Divyesh Adds the file Divyeshrenamed.exe"="10/14/2016 1:27 AM, 45056 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Divyesh] "DisplayIcon"="REG_SZ", "C:\Windows\Divyesh\Divyesh\Uninstall.exe" "DisplayName"="REG_SZ", "Divyesh" "DisplayVersion"="REG_SZ", "10.1.5.10" "EstimatedSize"="REG_DWORD", 44 "InstallDate"="REG_SZ", "20161108" "InstallLocation"="REG_SZ", "C:\Windows\Divyesh\Divyesh\" "InstallSource"="REG_SZ", "C:\Users\{username}\Desktop\" "Language"="REG_DWORD", 1033 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Divyesh" "UninstallString"="REG_SZ", "C:\Windows\Divyesh\Divyesh\Uninstall.exe" "VersionMajor"="REG_DWORD", 10 "VersionMinor"="REG_DWORD", 1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Divyesh"="REG_SZ", "C:\Windows\Divyesh\Divyesh\Divyesh.exe" [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] "ParseAutoexec"="REG_SZ", "1" Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 11/8/2016 Scan Time: 2:41 PM Logfile: mbamDivyeshTSS.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.11.08.09 Rootkit Database: v2016.10.31.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Disabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 327556 Time Elapsed: 8 min, 56 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 1 Trojan.TechSupportScam, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DIVYESH, Quarantined, [b4258b32d6c41d191ea41912ea1b4bb5], Registry Values: 2 Trojan.TechSupportScam, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Divyesh, C:\Windows\Divyesh\Divyesh\Divyesh.exe, Quarantined, [f1e885388b0fab8b3681e249a56014ec] Trojan.TechSupportScam, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DIVYESH|DisplayIcon, C:\Windows\Divyesh\Divyesh\Uninstall.exe, Quarantined, [b4258b32d6c41d191ea41912ea1b4bb5] Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 2 Trojan.TechSupportScam, C:\Windows\Divyesh\Divyesh\Divyesh.exe, Quarantined, [f1e885388b0fab8b3681e249a56014ec], Trojan.TechSupportScam, C:\Users\{username}\Desktop\Divyesh 10.1.5.10 Installation.exe, Quarantined, [c415f0cd306a65d1dad944e71aeb15eb], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  12. What is Adobe Flash TSS? The Malwarebytes research team has determined that Adobe Flash TSS is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end. How do I know if my computer is affected by Adobe Flash TSS? You will see this screen as soon as the executable is run: and this screen if you click on the highlight part of the blue bar, marked "Security": How did Adobe Flash TSS get on my computer? Tech Support Scammers use different methods for distributing themselves. This particular one was offered as an installer for Adobe Player. How do I remove Adobe Flash TSS? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application, but due to the nature of the infection thiks will require a few extra steps. When confronted with the lockscreen shown above, use the key combination Ctrl-Alt-Del From the menu choose "Task Manager". In Taskmanager select the process called "Adobe Flash Player" with the description "Shell". Click on "End Process" to stop the screenlocker. When you return to the desktop, you may see this site open in your default browser: Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Adobe Flash TSS? No, Malwarebytes' Anti-Malware removes Adobe Flash TSS completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Tech Supprt Scam. Technical details for experts You may see these entries in FRST logs: HKCU\...\Winlogon: [Shell] C:\Users\{username}\Desktop\Adobe Flash Player.exe [354816 2016-10-27] () <==== ATTENTION () C:\Users\{username}\Desktop\Adobe Flash Player.exe Alterations made by the installer: Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell"="REG_SZ", "C:\Users\{username}\Desktop\Adobe Flash Player.exe" Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 10/27/2016 Scan Time: 12:17 PM Logfile: mbamAdobeTSS.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.10.27.04 Rootkit Database: v2016.09.26.02 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 326781 Time Elapsed: 9 min, 48 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 1 Rogue.TechSupportScam, C:\Users\{username}\Desktop\Adobe Flash Player.exe, 880, Delete-on-Reboot, [78b8841a7e1c5bdba839f92506ffc53b] Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 1 Trojan.TechSupportScam, HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|Shell, C:\Users\{username}\Desktop\Adobe Flash Player.exe, Quarantined, [cd63d9c55941ca6c00c763b15da83cc4] Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 1 Rogue.TechSupportScam, C:\Users\{username}\Desktop\Adobe Flash Player.exe, Delete-on-Reboot, [78b8841a7e1c5bdba839f92506ffc53b], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  13. What is nerta TSS? The Malwarebytes research team has determined that nerta TSS is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end. How do I know if my computer is affected by nerta TSS? You may see this task in your Task Scheduler: and this entry in your list of installed programs: How did nerta TSS get on my computer? Tech Support Scammers use different methods for distributing themselves. This particular one was bundled with other software. It installs files that will produce a fake Windows Activation screen with the Tech Support Scammers number. It can take a while before this actually happens, so you might be unaware of which install was the trigger. It shows this fake error screen on top of your other applications, constantly refreshing so it's hard to stop. How do I remove nerta TSS? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application. Due to the nature of the infection, you will need to stop the malware process from running. When confronted with the fake blue error screen, use the Ctrl-Alt-Del key combination and run Task Manager. In the list of processes find nerta.exe. Select the nerta.exe process and click on the End Process button. Now you should have access to your desktop and other programs. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of nerta TSS? No, Malwarebytes' Anti-Malware removes nerta TSS completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Tech Support Scam. Technical details for experts You may see these entries in FRST logs: () C:\Program Files (x86)\Stlr\nerta\nerta.exe () C:\Program Files (x86)\Stlr\nerta\nertacs.exe Startup: C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nerta.lnk [2016-09-19] ShortcutTarget: Nerta.lnk -> C:\Windows\System32\schtasks.exe (Microsoft Corporation) R2 nrtService; C:\Program Files (x86)\Stlr\nerta\nertacs.exe [12288 2016-08-16] () [File not signed] C:\Windows\System32\Tasks\nerta C:\Users\{username}\AppData\Roaming\st C:\Program Files (x86)\Stlr nerta (HKLM-x32\...\nerta) (Version: 2.1.2 - Stlr) Task: {0767AA60-4FDF-457C-9D2B-D132747A2416} - System32\Tasks\nerta => C:\Program Files (x86)\Stlr\nerta\nerta.exe [2016-08-29] () Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\Stlr\nerta Adds the file bto.ico"="8/12/2016 3:23 AM, 2462 bytes, A Adds the file Caliburn.Micro.dll"="8/9/2016 10:37 PM, 104448 bytes, A Adds the file Caliburn.Micro.pdb"="8/9/2016 10:37 PM, 296448 bytes, A Adds the file Caliburn.Micro.xml"="8/9/2016 10:37 PM, 141115 bytes, A Adds the file Comparers.dll"="4/17/2015 11:00 PM, 6144 bytes, A Adds the file Garlic.dll"="8/9/2016 10:38 PM, 15360 bytes, A Adds the file Garlic.pdb"="8/9/2016 10:38 PM, 40448 bytes, A Adds the file InstallUtil.InstallLog"="9/19/2016 10:46 AM, 632 bytes, A Adds the file Ionic.Zip.Reduced.dll"="7/14/2014 5:36 PM, 253440 bytes, A Adds the file LedControl.dll"="3/6/2012 7:14 PM, 13824 bytes, A Adds the file log.txt"="9/19/2016 10:46 AM, 743 bytes, A Adds the file LoggingControl.dll"="1/22/2016 12:26 AM, 34816 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="12/17/2015 3:24 AM, 185856 bytes, A Adds the file Microsoft.Windows.Shell.dll"="10/19/2010 9:00 PM, 167808 bytes, A Adds the file nerta.exe"="8/29/2016 12:41 PM, 30720 bytes, A Adds the file nerta.exe.config"="8/9/2016 3:09 AM, 588 bytes, A Adds the file nertacs.exe"="8/16/2016 4:00 AM, 12288 bytes, A Adds the file nertacs.exe.config"="12/11/2015 2:26 AM, 597 bytes, A Adds the file nertacs.InstallLog"="9/19/2016 10:46 AM, 645 bytes, A Adds the file nertacs.InstallState"="9/19/2016 10:46 AM, 7466 bytes, A Adds the file nertastarter.exe"="8/12/2016 6:12 AM, 6656 bytes, A Adds the file nertastarter.exe.config"="12/11/2015 2:27 AM, 174 bytes, A Adds the file Newtonsoft.Json.dll"="8/9/2016 10:37 PM, 489472 bytes, A Adds the file Newtonsoft.Json.xml"="8/9/2016 10:37 PM, 523221 bytes, A Adds the file nrtupdates.exe"="8/12/2016 6:11 AM, 11264 bytes, A Adds the file nrtupdates.exe.config"="3/11/2015 10:26 PM, 174 bytes, A Adds the file PDSA.Common.dll"="12/17/2015 3:24 AM, 9728 bytes, A Adds the file System.Windows.Interactivity.dll"="8/9/2016 10:37 PM, 39936 bytes, A Adds the file System.Windows.Interactivity.xml"="8/9/2016 10:37 PM, 62128 bytes, A Adds the file testwcf.exe"="8/12/2016 4:18 AM, 6656 bytes, A Adds the file testwcf.exe.config"="8/12/2016 3:59 AM, 174 bytes, A Adds the file UrlHistoryLibrary.dll"="2/3/2015 11:12 PM, 24576 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming Adds the file st"="9/19/2016 10:46 AM, 53 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup Adds the file Nerta.lnk"="9/19/2016 10:46 AM, 1825 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file nerta"="9/19/2016 10:46 AM, 3252 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\nerta_RASAPI32] "ConsoleTracingMask"="REG_DWORD", -65536 "EnableConsoleTracing"="REG_DWORD", 0 "EnableFileTracing"="REG_DWORD", 0 "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing" "FileTracingMask"="REG_DWORD", -65536 "MaxFileSize"="REG_DWORD", 1048576 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\nerta_RASMANCS] "ConsoleTracingMask"="REG_DWORD", -65536 "EnableConsoleTracing"="REG_DWORD", 0 "EnableFileTracing"="REG_DWORD", 0 "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing" "FileTracingMask"="REG_DWORD", -65536 "MaxFileSize"="REG_DWORD", 1048576 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\nerta] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\Stlr\nerta\Uninstall.exe" "DisplayName"="REG_SZ", "nerta" "DisplayVersion"="REG_SZ", "2.1.2" "EstimatedSize"="REG_DWORD", 2423 "InstallDate"="REG_SZ", "20160919" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\Stlr\nerta\" "InstallSource"="REG_SZ", "C:\Users\{username}\Desktop\" "Language"="REG_DWORD", 1033 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Stlr" "UninstallString"="REG_SZ", "C:\Program Files (x86)\Stlr\nerta\Uninstall.exe" "VersionMajor"="REG_DWORD", 2 "VersionMinor"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\nrtService] "EventMessageFile"="REG_EXPAND_SZ, "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EventLogMessages.dll" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\nrtService] "DelayedAutostart"="REG_DWORD", 0 "Description"="REG_SZ", "this will update the gas" "DisplayName"="REG_SZ", "Btior New" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, ""C:\Program Files (x86)\Stlr\nerta\nertacs.exe"" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 9/19/2016 Scan Time: 10:54 AM Logfile: mbamNerta.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.09.19.03 Rootkit Database: v2016.08.15.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 321010 Time Elapsed: 9 min, 46 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 2 Rogue.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\nerta.exe, 3184, Delete-on-Reboot, [4db2b6bd97039a9c4683608fcd3711ef] Rogue.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\nertacs.exe, 3360, Delete-on-Reboot, [08f7da993b5f280efad03ab54db7857b] Modules: 0 (No malicious items detected) Registry Keys: 4 Rogue.TechSupportScam, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\nrtService, Quarantined, [08f7da993b5f280efad03ab54db7857b], Trojan.TechSupportScam, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{0767AA60-4FDF-457C-9D2B-D132747A2416}, Delete-on-Reboot, [af50d79c9109ad8989a340af8b79a957], Trojan.TechSupportScam, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\nerta, Delete-on-Reboot, [a15e96dd1585c571af7edc130103a759], Trojan.TechSupportScam, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\nerta, Quarantined, [fc03b1c222784bebfc2ed21de222fa06], Registry Values: 1 Trojan.TechSupportScam, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{0767AA60-4FDF-457C-9D2B-D132747A2416}|Path, \nerta, Delete-on-Reboot, [af50d79c9109ad8989a340af8b79a957] Registry Data: 0 (No malicious items detected) Folders: 2 Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta, Delete-on-Reboot, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr, Delete-on-Reboot, [34cb7300f8a2b87ecd6430bf1ee64ab6], Files: 36 Rogue.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\nerta.exe, Quarantined, [4db2b6bd97039a9c4683608fcd3711ef], Rogue.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\nertacs.exe, Delete-on-Reboot, [08f7da993b5f280efad03ab54db7857b], Rogue.TechSupportScam, C:\Users\{username}\Desktop\Setup.exe, Quarantined, [c639adc6e1b95cda77540ce33acafa06], Trojan.TechSupportScam, C:\Windows\System32\Tasks\nerta, Quarantined, [19e611629efce55152dcf0fff70dd828], Trojan.TechSupportScam, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nerta.lnk, Quarantined, [35ca4c27f9a180b6df51c32caa5aea16], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\log.txt, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\bto.ico, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\Caliburn.Micro.dll, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\Caliburn.Micro.pdb, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\Caliburn.Micro.xml, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\Comparers.dll, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\Garlic.dll, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\Garlic.pdb, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\InstallUtil.InstallLog, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\Ionic.Zip.Reduced.dll, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\LedControl.dll, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\LoggingControl.dll, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\Microsoft.Win32.TaskScheduler.dll, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\Microsoft.Windows.Shell.dll, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\nerta.exe.config, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\nertacs.exe.config, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\nertacs.InstallLog, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\nertacs.InstallState, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\nertastarter.exe, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\nertastarter.exe.config, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\Newtonsoft.Json.dll, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\Newtonsoft.Json.xml, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\nrtupdates.exe, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\nrtupdates.exe.config, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\PDSA.Common.dll, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\System.Windows.Interactivity.dll, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\System.Windows.Interactivity.xml, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\testwcf.exe, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\testwcf.exe.config, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\UrlHistoryLibrary.dll, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Rogue.TechSupportScam, C:\Users\{username}\AppData\Roaming\st, Quarantined, [08f7264dbedc45f168eb0ee208fc15eb], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.