Jump to content

Removal instructions for WeWatcher


Recommended Posts

  • Staff

What is WeWatcher?

 

The Malwarebytes research team has determined that WeWatcher is adware. These adware applications display advertisements not originating from the sites you are browsing.

This one is a LSP hijacker and uses rootkit techniques.

 

How do I know if my computer is affected by WeWatcher?

You may see this entry in your list of installed programs:

 

warning4.png

and this Scheduled Task :

warning3.png

 

How did WeWatcher get on my computer?

 

Adware applications use different methods for distributing themselves. This particular one was bundled with other software.

 

How do I remove WeWatcher?

 

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.

  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-version.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to the following:
    • Enable free trial of Malwarebytes Anti-Malware Premium
    • Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • If an update is found, you will be prompted to download and install the latest version.
  • Once the program has loaded, make sure that under Settings > Detection and Protection there is a checkmark before Scan for rootkits.
  • Then select Scan now or select the Threat Scan from the Scan menu.
  • When the scan is complete , make sure that everything is set to "Quarantine", and click Apply Actions.
  • Reboot your computer if prompted.
Is there anything else I need to do to get rid of WeWatcher?
  • No, Malwarebytes' Anti-Malware removes WeWatcher completely.
  • You may be prompted twice to reboot after removal. Malwarebytes Anti-Malware needs to restore your connection after removing this LSP-hijacker.

    2reboot.png

How would the full version of Malwarebytes Anti-Malware help protect me?

 

We hope our application and this guide have helped you eradicate this hijacker.  

 

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the WeWatcher adware. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late.

 

protection1.png

Technical details for experts

 

You will see these signs in a HijackThis log:

O10 - Unknown file in Winsock LSP: c:\windows\system32\wewatcherlsp.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\wewatcherlsp.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\wewatcherlsp.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\wewatcherlsp.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\wewatcherlsp.dllO23 - Service: WeWatcherProxy - WeWatcher - C:\Program Files (x86)\SysFiles\WeWatcherProxy.exe
 

You may see these signs in FRST logs:

 (WeWatcher) C:\Program Files (x86)\SysFiles\WeWatcherProxy.exe Winsock: Catalog9 01 C:\Windows\SysWOW64\WeWatcherLSP.dll [305752 2015-07-17] (WeWatcher) Winsock: Catalog9 02 C:\Windows\SysWOW64\WeWatcherLSP.dll [305752 2015-07-17] (WeWatcher) Winsock: Catalog9 03 C:\Windows\SysWOW64\WeWatcherLSP.dll [305752 2015-07-17] (WeWatcher) Winsock: Catalog9 04 C:\Windows\SysWOW64\WeWatcherLSP.dll [305752 2015-07-17] (WeWatcher) Winsock: Catalog9 15 C:\Windows\SysWOW64\WeWatcherLSP.dll [305752 2015-07-17] (WeWatcher) Winsock: Catalog9-x64 01 C:\Windows\system32\WeWatcherLSP64.dll [356824 2015-07-17] (WeWatcher) Winsock: Catalog9-x64 02 C:\Windows\system32\WeWatcherLSP64.dll [356824 2015-07-17] (WeWatcher) Winsock: Catalog9-x64 03 C:\Windows\system32\WeWatcherLSP64.dll [356824 2015-07-17] (WeWatcher) Winsock: Catalog9-x64 04 C:\Windows\system32\WeWatcherLSP64.dll [356824 2015-07-17] (WeWatcher) Winsock: Catalog9-x64 15 C:\Windows\system32\WeWatcherLSP64.dll [356824 2015-07-17] (WeWatcher) R2 WeWatcherProxy; C:\Program Files (x86)\SysFiles\WeWatcherProxy.exe [1817912 2015-07-02] (WeWatcher) C:\Windows\SysWOW64\WeWatcherProxyOff.ini C:\Windows\system32\WeWatcherProxyOff.ini C:\Windows\System32\Tasks\SysHealth_Controller_Mon C:\Windows\SysHealthController C:\Windows\SysFilesController C:\Program Files (x86)\SysFiles (WeWatcher) C:\Windows\system32\WeWatcherLSP64.dll (WeWatcher) C:\Windows\SysWOW64\WeWatcherLSP.dllWinPrograms (HKLM-x32\...\WebWatcherInstall) (Version:  - )WinPrograms (HKLM-x32\...\WinPrograms) (Version:  - )Task: {685329E9-17DE-404C-83D6-A5297295DFE7} - System32\Tasks\SysHealth_Controller_Mon => C:\Windows\SysFilesController\SysFiles_backup.exe [2015-07-02] ()HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WeWatcherProxy => ""="service"
 

 

Malwarebytes Anti-Malware log:

Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 17/07/2015Scan Time: 09:32Logfile: mbamWeWatcher.txtAdministrator: YesVersion: 2.1.8.1057Malware Database: v2015.07.17.01Rootkit Database: v2015.07.16.01License: PremiumMalware Protection: DisabledMalicious Website Protection: EnabledSelf-protection: DisabledOS: Windows 7 Service Pack 1CPU: x64File System: NTFSUser: {username}Scan Type: Threat ScanResult: CompletedObjects Scanned: 326265Time Elapsed: 4 min, 12 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 1PUP.Optional.Winsock.HijackBoot, C:\Program Files (x86)\SysFiles\WeWatcherProxy.exe, 3508, Delete-on-Reboot, [4f864c96cbbf67cfcb9ffdc5c839bd43]Modules: 8PUP.Optional.Winsock.HijackBoot, C:\Program Files (x86)\SysFiles\WeWatcherCert.dll, Delete-on-Reboot, [b520af33a3e74cea0d5d764c5fa2fe02], PUP.Optional.HealthCareGovTool.C, C:\Program Files (x86)\SysFiles\freebl3.dll, Delete-on-Reboot, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, C:\Program Files (x86)\SysFiles\libnspr4.dll, Delete-on-Reboot, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, C:\Program Files (x86)\SysFiles\libplc4.dll, Delete-on-Reboot, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, C:\Program Files (x86)\SysFiles\libplds4.dll, Delete-on-Reboot, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, C:\Program Files (x86)\SysFiles\nss3.dll, Delete-on-Reboot, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, C:\Program Files (x86)\SysFiles\nssutil3.dll, Delete-on-Reboot, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, C:\Program Files (x86)\SysFiles\smime3.dll, Delete-on-Reboot, [0ec717cb17735adcdc0a0106e81ba15f], Registry Keys: 80PUP.Optional.Winsock.HijackBoot, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WeWatcherProxy, Quarantined, [4f864c96cbbf67cfcb9ffdc5c839bd43], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WinPrograms, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\CLASSES\TYPELIB\{5534719D-3FBF-4B02-9EB1-460277DBE138}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\CLASSES\INTERFACE\{07FD117E-BAC6-4F75-8570-B4FCE1084A67}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\CLASSES\INTERFACE\{1B9C5796-93EC-4BD1-B78B-7CA9CC41CBF4}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\CLASSES\INTERFACE\{2811C0FA-9761-43EA-9AD5-A0421A0B7F39}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\CLASSES\INTERFACE\{41CB0A85-E6F1-4870-A57C-26B9A4621E48}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\CLASSES\INTERFACE\{48FA6A2A-A39E-4E08-A210-57D7E485F9C2}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\CLASSES\INTERFACE\{4AA35302-BF9B-4094-9CDF-BE94BF46E3C1}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\CLASSES\INTERFACE\{61A32176-4B99-4D75-BFCB-5CB2B3B7E42E}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\CLASSES\INTERFACE\{85F3ED44-E37B-46D1-8BF8-6E49D4F34EC8}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\CLASSES\INTERFACE\{BF0D7E34-16EC-4682-8144-34007DD3A8C7}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\CLASSES\INTERFACE\{DC3AB55D-3513-40CB-8A9B-7ABEF8CA30F2}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\CLASSES\INTERFACE\{DED2C126-AACF-4F4C-B916-8A220ACCC234}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\CLASSES\INTERFACE\{EC67C245-F357-4687-A695-B96A7DACF38D}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\CLASSES\INTERFACE\{F1C51A2C-95E6-4BE8-8323-4ACDA99F68B3}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{07FD117E-BAC6-4F75-8570-B4FCE1084A67}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{1B9C5796-93EC-4BD1-B78B-7CA9CC41CBF4}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{2811C0FA-9761-43EA-9AD5-A0421A0B7F39}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{41CB0A85-E6F1-4870-A57C-26B9A4621E48}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{48FA6A2A-A39E-4E08-A210-57D7E485F9C2}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{4AA35302-BF9B-4094-9CDF-BE94BF46E3C1}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{61A32176-4B99-4D75-BFCB-5CB2B3B7E42E}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{85F3ED44-E37B-46D1-8BF8-6E49D4F34EC8}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{BF0D7E34-16EC-4682-8144-34007DD3A8C7}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{DC3AB55D-3513-40CB-8A9B-7ABEF8CA30F2}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{DED2C126-AACF-4F4C-B916-8A220ACCC234}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{EC67C245-F357-4687-A695-B96A7DACF38D}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{F1C51A2C-95E6-4BE8-8323-4ACDA99F68B3}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{07FD117E-BAC6-4F75-8570-B4FCE1084A67}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{1B9C5796-93EC-4BD1-B78B-7CA9CC41CBF4}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{2811C0FA-9761-43EA-9AD5-A0421A0B7F39}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{41CB0A85-E6F1-4870-A57C-26B9A4621E48}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{48FA6A2A-A39E-4E08-A210-57D7E485F9C2}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{4AA35302-BF9B-4094-9CDF-BE94BF46E3C1}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{61A32176-4B99-4D75-BFCB-5CB2B3B7E42E}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{85F3ED44-E37B-46D1-8BF8-6E49D4F34EC8}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{BF0D7E34-16EC-4682-8144-34007DD3A8C7}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{DC3AB55D-3513-40CB-8A9B-7ABEF8CA30F2}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{DED2C126-AACF-4F4C-B916-8A220ACCC234}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{EC67C245-F357-4687-A695-B96A7DACF38D}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{F1C51A2C-95E6-4BE8-8323-4ACDA99F68B3}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{5534719D-3FBF-4B02-9EB1-460277DBE138}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{5534719D-3FBF-4B02-9EB1-460277DBE138}, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.WeWatcherProxy.A, HKLM\SOFTWARE\CLASSES\WeWatcherProxyLib.DataContainer, Quarantined, [f1e4588a9bef0b2b35e60495f70d07f9], PUP.Optional.WeWatcherProxy.A, HKLM\SOFTWARE\CLASSES\WeWatcherProxyLib.DataContainer.1, Quarantined, [c70e9a4838529f97b863198043c18080], PUP.Optional.WeWatcherProxy.A, HKLM\SOFTWARE\CLASSES\WeWatcherProxyLib.DataController, Quarantined, [7d586b7791f9fb3bc7544257768ed62a], PUP.Optional.WeWatcherProxy.A, HKLM\SOFTWARE\CLASSES\WeWatcherProxyLib.DataController.1, Quarantined, [399c21c1ff8bf83e4dced8c1d3312bd5], PUP.Optional.WeWatcherProxy.A, HKLM\SOFTWARE\CLASSES\WeWatcherProxyLib.DataTable, Quarantined, [af26f5ed0f7b5ed84ad180196f950bf5], PUP.Optional.WeWatcherProxy.A, HKLM\SOFTWARE\CLASSES\WeWatcherProxyLib.DataTable.1, Quarantined, [3a9b5989abdfb97d52c9b2e7a361956b], PUP.Optional.WeWatcherProxy.A, HKLM\SOFTWARE\CLASSES\WeWatcherProxyLib.DataTableFields, Quarantined, [01d44b97f69471c5170472271aea6997], PUP.Optional.WeWatcherProxy.A, HKLM\SOFTWARE\CLASSES\WeWatcherProxyLib.DataTableFields.1, Quarantined, [c60f647e167464d223f8eaaf6f950000], PUP.Optional.WeWatcherProxy.A, HKLM\SOFTWARE\CLASSES\WeWatcherProxyLib.DataTableHolder, Quarantined, [6d689c461c6e6dc962b93564d72d6d93], PUP.Optional.WeWatcherProxy.A, HKLM\SOFTWARE\CLASSES\WeWatcherProxyLib.DataTableHolder.1, Quarantined, [04d1c71b38522e08b368a7f23ec6e818], PUP.Optional.WeWatcherProxy.A, HKLM\SOFTWARE\CLASSES\WeWatcherProxyLib.LSPLogic, Quarantined, [c21310d256348da9f62542577094fc04], PUP.Optional.WeWatcherProxy.A, HKLM\SOFTWARE\CLASSES\WeWatcherProxyLib.LSPLogic.1, Quarantined, [ffd63ca62d5da591bb60eeab35cf3dc3], PUP.Optional.WeWatcherProxy.A, HKLM\SOFTWARE\CLASSES\WeWatcherProxyLib.ReadOnlyManager, Quarantined, [3c99c61c5d2da98dbe5de0b97292758b], PUP.Optional.WeWatcherProxy.A, HKLM\SOFTWARE\CLASSES\WeWatcherProxyLib.ReadOnlyManager.1, Quarantined, [7b5a22c0791195a1b36890095ea629d7], PUP.Optional.WeWatcherProxy.A, HKLM\SOFTWARE\CLASSES\WeWatcherProxyLib.WatchDog, Quarantined, [ece96a780c7edc5a42d9c2d73fc5ba46], PUP.Optional.WeWatcherProxy.A, HKLM\SOFTWARE\CLASSES\WeWatcherProxyLib.WatchDog.1, Quarantined, [d20339a91674d264081328715aaa6a96], PUP.Optional.WeWatcherProxy.A, HKLM\SOFTWARE\CLASSES\APPID\WeWatcherProxy.EXE, Quarantined, [c114ba2813773ff7ab6f693038ccfe02], PUP.Optional.WeWatcherProxy.A, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\WeWatcherProxy.EXE, Quarantined, [6e6729b9a5e5d95d8a901980b054b64a], PUP.Optional.WeWatcherProxy.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\WeWatcherProxyLib.DataContainer, Quarantined, [11c4964c6f1bf54168b32475788c46ba], PUP.Optional.WeWatcherProxy.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\WeWatcherProxyLib.DataContainer.1, Quarantined, [765f984adab039fd73a8d4c58d772ad6], PUP.Optional.WeWatcherProxy.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\WeWatcherProxyLib.DataController, Quarantined, [7d581ac80c7eaf87a5767d1c6e96c937], PUP.Optional.WeWatcherProxy.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\WeWatcherProxyLib.DataController.1, Quarantined, [32a349992268dc5a07144a4fd82c8d73], PUP.Optional.WeWatcherProxy.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\WeWatcherProxyLib.DataTable, Quarantined, [28ade5fd4941300657c4742545bfcf31], PUP.Optional.WeWatcherProxy.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\WeWatcherProxyLib.DataTable.1, Quarantined, [468fa141c2c8c472ae6d8712996b15eb], PUP.Optional.WeWatcherProxy.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\WeWatcherProxyLib.DataTableFields, Quarantined, [27ae776b2f5bc76fc7547623fc08d927], PUP.Optional.WeWatcherProxy.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\WeWatcherProxyLib.DataTableFields.1, Quarantined, [63720ad85733ee481b0068317193d030], PUP.Optional.WeWatcherProxy.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\WeWatcherProxyLib.DataTableHolder, Quarantined, [fcd94f93f79370c634e7b4e5e222ac54], PUP.Optional.WeWatcherProxy.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\WeWatcherProxyLib.DataTableHolder.1, Quarantined, [b02527bb6a2042f46fac7326f60e8779], PUP.Optional.WeWatcherProxy.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\WeWatcherProxyLib.LSPLogic, Quarantined, [d104d909fe8c9b9be239abeebb491be5], PUP.Optional.WeWatcherProxy.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\WeWatcherProxyLib.LSPLogic.1, Quarantined, [2baab13192f8ac8a60bb7524857f5fa1], PUP.Optional.WeWatcherProxy.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\WeWatcherProxyLib.ReadOnlyManager, Quarantined, [b71ec919c8c2d26450cbafeab35147b9], PUP.Optional.WeWatcherProxy.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\WeWatcherProxyLib.ReadOnlyManager.1, Quarantined, [5a7be101e5a581b536e5702921e315eb], PUP.Optional.WeWatcherProxy.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\WeWatcherProxyLib.WatchDog, Quarantined, [2ca9fae88ffbfe38ad6e92076b99f20e], PUP.Optional.WeWatcherProxy.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\WeWatcherProxyLib.WatchDog.1, Quarantined, [def7b131543606308b90b8e14fb554ac], PUP.Optional.WeWatcherProxy.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\WeWatcherProxy.EXE, Quarantined, [6174d80a72180e2822f80792778dd62a], PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WebWatcherInstall, Quarantined, [5c79c220bcce83b382656a9d748f07f9], Registry Values: 2PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WINPROGRAMS|UninstallString, C:\Program Files (x86)\SysFiles\uninstall.exe, Quarantined, [8d484c96a6e459dd13d54eb9649f19e7]PUP.Optional.HealthCareGovTool.C, HKLM\SOFTWARE\WOW6432NODE\WINPROGRAMS|Path, C:\Program Files (x86)\SysFiles, Quarantined, [3e9710d2444616201ccdb453ec1704fc]Registry Data: 0(No malicious items detected)Folders: 3PUP.Optional.HealthCareGovTool.C, C:\Program Files (x86)\SysFiles, Delete-on-Reboot, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.SysHealthController.A, C:\Windows\SysFilesController, Quarantined, [0acb10d2c0caee4887c629df2cd77e82], PUP.Optional.SysHealthController.A, C:\Windows\SysHealthController, Quarantined, [e1f41dc58604d1651836aa5e8a7955ab], Files: 33PUP.Optional.Winsock.HijackBoot, C:\Program Files (x86)\SysFiles\WeWatcherProxy.exe, Delete-on-Reboot, [4f864c96cbbf67cfcb9ffdc5c839bd43], PUP.Optional.Winsock.HijackBoot, C:\Program Files (x86)\SysFiles\WeWatcherCert.dll, Delete-on-Reboot, [b520af33a3e74cea0d5d764c5fa2fe02], Rootkit.WeWatcher.PUP, C:\Users\{username}\Desktop\WeWatcher.exe, Quarantined, [a92cbd25eaa06dc93635794917ea60a0], PUP.Optional.Winsock.HijackBoot, C:\Program Files (x86)\SysFiles\WeWatcherLSP.dll, Quarantined, [2aabcc16fc8e4cea7bef814108f99c64], PUP.Optional.Winsock.HijackBoot, C:\Program Files (x86)\SysFiles\WeWatcherLSP.exe, Quarantined, [d0057171e7a336005317645e5ea39a66], PUP.Optional.Winsock.HijackBoot, C:\Program Files (x86)\SysFiles\WeWatcherLSP64.dll, Quarantined, [f1e43fa35f2b1125e288f5cdf50cff01], PUP.Optional.Winsock.HijackBoot, C:\Program Files (x86)\SysFiles\WeWatcherLSP64.exe, Quarantined, [9e376181ff8b60d61a50259dc43d926e], PUP.Optional.Winsock.HijackBoot, C:\Windows\System32\WeWatcherLSP64.dll, Delete-on-Reboot, [ab2a479b69215ed806642c963ac7f50b], PUP.Optional.Winsock.HijackBoot, C:\Windows\SysWOW64\WeWatcherLSP.dll, Delete-on-Reboot, [32a328bafa9053e35e0c8240b849d729], PUP.Optional.HealthCareGovTool.C, C:\Program Files (x86)\SysFiles\HealthcareHelp.exe, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, C:\Program Files (x86)\SysFiles\freebl3.dll, Delete-on-Reboot, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, C:\Program Files (x86)\SysFiles\libnspr4.dll, Delete-on-Reboot, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, C:\Program Files (x86)\SysFiles\libplc4.dll, Delete-on-Reboot, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, C:\Program Files (x86)\SysFiles\libplds4.dll, Delete-on-Reboot, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, C:\Program Files (x86)\SysFiles\nss3.dll, Delete-on-Reboot, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, C:\Program Files (x86)\SysFiles\nssckbi.dll, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, C:\Program Files (x86)\SysFiles\nssdbm3.dll, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, C:\Program Files (x86)\SysFiles\nssutil3.dll, Delete-on-Reboot, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, C:\Program Files (x86)\SysFiles\smime3.dll, Delete-on-Reboot, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, C:\Program Files (x86)\SysFiles\softokn3.dll, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, C:\Program Files (x86)\SysFiles\sqlite3.dll, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, C:\Program Files (x86)\SysFiles\ssl3.dll, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, C:\Program Files (x86)\SysFiles\uninstall.exe, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.HealthCareGovTool.C, C:\Program Files (x86)\SysFiles\WeWatcherProxy.tlb, Quarantined, [0ec717cb17735adcdc0a0106e81ba15f], PUP.Optional.SysHealthControlle.A, C:\Windows\System32\Tasks\SysHealth_Controller_Mon, Quarantined, [9b3a5f836a20191ddd6d8b7dd92a37c9], PUP.Optional.SysHealthController.A, C:\Windows\SysFilesController\SysFiles_backup.exe, Quarantined, [0acb10d2c0caee4887c629df2cd77e82], PUP.Optional.SysHealthController.A, C:\Windows\SysHealthController\SysFiles_backup.exe, Quarantined, [e1f41dc58604d1651836aa5e8a7955ab], PUP.Optional.WeWatcherProxy.A, C:\Users\{username}\AppData\Local\Temp\WeWatcherLSP.ini.log, Quarantined, [b223479b7119b4827e9a7722e71d13ed], PUP.Optional.WeWatcherProxy.A, C:\Users\{username}\AppData\Local\Temp\WeWatcherProxyr.log, Quarantined, [8253d80a16742d099386cecb7a8aad53], PUP.Optional.WeWatcherProxy.A, C:\Windows\Temp\WeWatcherProxy.log, Delete-on-Reboot, [43926a7811795fd7081118817f8501ff], PUP.Optional.WeWatcherProxy.A, C:\Windows\Temp\WeWatcherProxyr.log, Quarantined, [5a7bb0322c5e82b442d7346540c46799], PUP.Optional.Winsock.HijackBoot, C:\Windows\System32\WeWatcherProxyOff.ini, Quarantined, [4590eef435556bcb75abfb9e659fa35d], PUP.Optional.Winsock.HijackBoot, C:\Windows\SysWOW64\WeWatcherProxyOff.ini, Quarantined, [1abb81614941a78f4ad660397e868e72], Physical Sectors: 0(No malicious items detected)(end)
As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.
Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.