Jump to content

Removal instructions for dlclient


Recommended Posts

  • Staff

What is dlclient?

The Malwarebytes research team has determined that dlclient is adware. These adware applications display advertisements not originating from the sites you are browsing.

How do I know if my computer is affected by dlclient?

You may see this entry in your list of installed programs:

warning4.png

and these Scheduled Tasks:

warning3.png

How did dlclient get on my computer?

Adware applications use different methods for distributing themselves. This particular one was bundled with other software.

How do I remove dlclient?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.

  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-version.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to the following:
    • Enable free trial of Malwarebytes Anti-Malware Premium
    • Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • If an update is found, you will be prompted to download and install the latest version.
  • Once the program has loaded, select Scan now. Or select the Threat Scan from the Scan menu.
  • When the scan is complete , make sure that everything is set to "Quarantine", and click Apply Actions.
  • Reboot your computer if prompted.
Is there anything else I need to do to get rid of dlclient?
  • No, Malwarebytes' Anti-Malware removes dlclient completely.
  • This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks.
How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this hijacker.

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the dlclient adware. It would have warned you before the rogue could install itself, giving you a chance to stop it before it became too late.

protection1.png

Technical details for experts

You will see these signs in a HijackThis log:

O4 - HKCU\..\Run: [dlclient] C:\Program Files\dlclient\dlclient\1.3.23.0\dlclient.exe
Possible signs in FRST logs:

 (Pay By Ads LTD) C:\Program Files\dlclient\dlclient\1.3.23.0\dlclient.exe HKCU\...\Run: [dlclient] => C:\Program Files\dlclient\dlclient\1.3.23.0\dlclient.exe [667416 2015-03-08] (Pay By Ads LTD) () C:\Program Files\dlclientTask: {58EC1DAC-41C0-45A8-B30F-28371609B22C} - System32\Tasks\dlclient Updater => C:\Program Files\dlclient\dlclient\1.3.23.0\dlsetup.exe [2015-03-08] (Pay By Ads LTD)Task: {98D9E681-540A-4651-8F8E-8AAAC3DAF858} - System32\Tasks\dlclient => C:\Program Files\dlclient\dlclient\1.3.23.0\dlclient.exe [2015-03-08] (Pay By Ads LTD)
Alterations made by the installer:

File system details [View: All details] (Selection)---------------------------------------------------    Adds the folder C:\Program Files\dlclient\dlclient\1.3.23.0       Adds the file app.ini"="3/8/2015 12:30 PM, 507 bytes, A       Adds the file chromext64.dll"="3/8/2015 12:30 PM, 341504 bytes, A       Adds the file dlclient.exe"="3/8/2015 12:30 PM, 667416 bytes, A       Adds the file dlsetup.exe"="3/8/2015 12:30 PM, 471320 bytes, A       Adds the file hlpr64.exe"="3/8/2015 12:30 PM, 91648 bytes, A       Adds the file hoapmamo.dll"="3/8/2015 12:30 PM, 305152 bytes, A       Adds the file ka7jdmlf.dll"="3/8/2015 12:30 PM, 289280 bytes, A       Adds the file res.dll"="3/8/2015 12:30 PM, 203264 bytes, A    In the existing folder C:\Windows\System32\Tasks       Adds the file dlclient"="3/8/2015 12:30 PM, 3466 bytes, A       Adds the file dlclient Updater"="3/8/2015 12:30 PM, 3464 bytes, ARegistry details [View: All details] (Selection)------------------------------------------------    [HKEY_CURRENT_USER\Software\Classes\keepmysearch\instl\data]       "APPORDR"="REG_SZ", "F4F9B88008AE3D7A"       "country"="REG_SZ", ""       "lng"="REG_SZ", ""       "prm1"="REG_SZ", ""       "prm2"="REG_SZ", ""       "prm3"="REG_SZ", ""       "prm4"="REG_SZ", ""       "prm5"="REG_SZ", ""    [HKEY_CURRENT_USER\Software\Classes\keepmysearch\uninstl]       "dlclient"="REG_SZ", "C:\Program Files\dlclient\dlclient\1.3.23.0\dlsetup.exe"    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]       "dlclient.exe"="REG_DWORD", 19000       "dlsetup.exe"="REG_DWORD", 19000    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]       "dlclient"="REG_SZ", "C:\Program Files\dlclient\dlclient\1.3.23.0\dlclient.exe"    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\dlclient]       "DisplayIcon"="REG_SZ", ""C:\Program Files\dlclient\dlclient\1.3.23.0\dlsetup.exe""       "DisplayName"="REG_SZ", "dlclient"       "NoModify"="REG_DWORD", 1       "NoRepair"="REG_DWORD", 1       "Publisher"="REG_SZ", "dlclient"       "UninstallString"="REG_SZ", ""C:\Program Files\dlclient\dlclient\1.3.23.0\dlsetup.exe" /uninstl"
Malwarebytes Anti-Malware log:

Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 3/8/2015Scan Time: 12:43:46 PMLogfile: MBAMDLClient.txtAdministrator: YesVersion: 2.01.0.1004Malware Database: v2015.03.08.04Rootkit Database: v2015.02.25.01License: FreeMalware Protection: DisabledMalicious Website Protection: DisabledSelf-protection: DisabledOS: Windows 7 Service Pack 1CPU: x86File System: NTFSUser: MalwarebytesScan Type: Threat ScanResult: CompletedObjects Scanned: 292618Time Elapsed: 3 min, 41 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: DisabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 1PUP.Optional.PayByAds.A, C:\Program Files\dlclient\dlclient\1.3.23.0\dlclient.exe, 3856, Delete-on-Reboot, [d63e5fe478126fc75404cc4860a6d32d]Modules: 0(No malicious items detected)Registry Keys: 2PUP.Optional.DLClient.A, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DLCLIENT, Quarantined, [f61ee063bfcbb383310e990a2bd852ae], PUP.Optional.KeepMySearch.A, HKCU_Classes\keepmysearch, Quarantined, [74a053f00189ec4a9a43aa0a57ac21df], Registry Values: 2PUP.Optional.PayByAds.A, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|dlclient, C:\Program Files\dlclient\dlclient\1.3.23.0\dlclient.exe, Quarantined, [d63e5fe478126fc75404cc4860a6d32d]PUP.Optional.DLClient.A, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DLCLIENT|DisplayIcon, "C:\Program Files\dlclient\dlclient\1.3.23.0\dlsetup.exe", Quarantined, [f61ee063bfcbb383310e990a2bd852ae]Registry Data: 0(No malicious items detected)Folders: 2PUP.Optional.DLClient.A, C:\Program Files\dlclient\dlclient, Delete-on-Reboot, [799b70d38109fa3c03bb3f631fe47e82], PUP.Optional.DLClient.A, C:\Program Files\dlclient\dlclient\1.3.23.0, Delete-on-Reboot, [799b70d38109fa3c03bb3f631fe47e82], Files: 9PUP.Optional.PayByAds.A, C:\Program Files\dlclient\dlclient\1.3.23.0\dlclient.exe, Delete-on-Reboot, [d63e5fe478126fc75404cc4860a6d32d], PUP.Optional.KeepMySearch.A, C:\Users\{username}\Desktop\DLCient.exe, Quarantined, [68ac390a4b3f979fd4584e8512f3c739], PUP.Optional.DLClient.A, C:\Program Files\dlclient\dlclient\1.3.23.0\app.ini, Quarantined, [799b70d38109fa3c03bb3f631fe47e82], PUP.Optional.DLClient.A, C:\Program Files\dlclient\dlclient\1.3.23.0\chromext64.dll, Quarantined, [799b70d38109fa3c03bb3f631fe47e82], PUP.Optional.DLClient.A, C:\Program Files\dlclient\dlclient\1.3.23.0\dlsetup.exe, Quarantined, [799b70d38109fa3c03bb3f631fe47e82], PUP.Optional.DLClient.A, C:\Program Files\dlclient\dlclient\1.3.23.0\hlpr64.exe, Quarantined, [799b70d38109fa3c03bb3f631fe47e82], PUP.Optional.DLClient.A, C:\Program Files\dlclient\dlclient\1.3.23.0\hoapmamo.dll, Quarantined, [799b70d38109fa3c03bb3f631fe47e82], PUP.Optional.DLClient.A, C:\Program Files\dlclient\dlclient\1.3.23.0\ka7jdmlf.dll, Quarantined, [799b70d38109fa3c03bb3f631fe47e82], PUP.Optional.DLClient.A, C:\Program Files\dlclient\dlclient\1.3.23.0\res.dll, Quarantined, [799b70d38109fa3c03bb3f631fe47e82], Physical Sectors: 0(No malicious items detected)(end)
As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.
Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.