Removal instructions for CoffeeFeed

[Metallica]

What is CoffeeFeed?

The Malwarebytes research team has determined that CoffeeFeed is adware. These adware applications display advertisements not originating from the sites you are browsing.

How do I know if my computer is affected by CoffeeFeed?

You may see this entry in your list of installed programs:

and these Scheduled Tasks:

and this icon on your Desktop :

that opens this site:

How did CoffeeFeed get on my computer?

Adware applications use different methods for distributing themselves. This particular one was bundled with other software.

How do I remove CoffeeFeed?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.

• Please download Malwarebytes Anti-Malware to your desktop.
• Double-click mbam-setup-version.exe and follow the prompts to install the program.
• At the end, be sure a check-mark is placed next to the following:
  • Enable free trial of Malwarebytes Anti-Malware Premium
  • Launch Malwarebytes Anti-Malware
• Then click Finish.
• If an update is found, you will be prompted to download and install the latest version.
• Once the program has loaded, select Scan now. Or select the Threat Scan from the Scan menu.
• When the scan is complete , make sure that everything is set to "Quarantine", and click Apply Actions.
• Reboot your computer if prompted.

Is there anything else I need to do to get rid of CoffeeFeed?

• No, Malwarebytes' Anti-Malware removes CoffeeFeed completely.
• This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks.

How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this adware application.

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the CoffeeFeed adware. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late.

Technical details for experts

You will see these signs in a HijackThis log:

O20 - AppInit_DLLs: C:\ProgramData\CoffeeFeed\CoffeeFeed32.dll 

You may see these signs in FRST logs:

 (CoffeeFeed) C:\ProgramData\CoffeeFeed\CoffeeFeed.exe AppInit_DLLs: C:\ProgramData\CoffeeFeed\CoffeeFeed64.dll => C:\ProgramData\CoffeeFeed\CoffeeFeed64.dll [988160 2015-09-09] (CoffeeFeed) AppInit_DLLs-x32: C:\ProgramData\CoffeeFeed\CoffeeFeed32.dll => C:\ProgramData\CoffeeFeed\CoffeeFeed32.dll [753664 2015-09-09] (CoffeeFeed) C:\Windows\Tasks\UFEYWUUVKOTJLEVS.job C:\Windows\Tasks\HEIRLJ1.job C:\Windows\System32\Tasks\UFEYWUUVKOTJLEVS C:\Windows\System32\Tasks\HEIRLJ1 C:\Users\Public\Desktop\CoffeeFeed.lnk C:\ProgramData\Service5191 C:\ProgramData\CoffeeFeed C:\ProgramData\12db864551ae4c578eb17db1a9f5d3cfCoffeeFeed (HKLM-x32\...\CoffeeFeed) (Version:  - )Task: {0725EF9C-B117-4C5F-86FF-CE874583F53E} - System32\Tasks\HEIRLJ1 => C:\ProgramData\CoffeeFeed\CoffeeFeed.exe [2015-09-09] (CoffeeFeed) <==== ATTENTIONTask: {12570E7F-A457-4CBF-9535-D9AC81E05122} - System32\Tasks\UFEYWUUVKOTJLEVS => C:\ProgramData\Service5191\Service5191.exe [2015-09-22] () <==== ATTENTIONTask: C:\Windows\Tasks\HEIRLJ1.job => C:\ProgramData\CoffeeFeed\CoffeeFeed.exe <==== ATTENTIONTask: C:\Windows\Tasks\UFEYWUUVKOTJLEVS.job => C:\ProgramData\Service5191\Service5191.exe <==== ATTENTION

Alterations made by the installer:

File system details  ---------------------------------------------    Adds the folder C:\ProgramData\12db864551ae4c578eb17db1a9f5d3cf       Adds the file 982ae10af1c5431d91b53ba95916fee9"="9/22/2015 11:24 AM, 27840 bytes, A    Adds the folder C:\ProgramData\CoffeeFeed       Adds the file coffee.ico"="8/30/2015 2:48 PM, 2350 bytes, A       Adds the file CoffeeFeed.exe"="9/9/2015 8:28 PM, 799232 bytes, A       Adds the file CoffeeFeed32.dll"="9/9/2015 8:29 PM, 753664 bytes, A       Adds the file CoffeeFeed64.dll"="9/9/2015 8:27 PM, 988160 bytes, A       Adds the file install.log"="9/22/2015 11:24 AM, 84 bytes, A       Adds the file NSISHelper.dll"="9/9/2015 8:29 PM, 479232 bytes, A       Adds the file uninstall.exe"="9/22/2015 11:24 AM, 302391 bytes, A    Adds the folder C:\ProgramData\Service5191       Adds the file Service5191.exe"="9/22/2015 11:24 AM, 437248 bytes, A    In the existing folder C:\Windows\System32\Tasks       Adds the file HEIRLJ1"="9/22/2015 11:24 AM, 2878 bytes, A       Adds the file UFEYWUUVKOTJLEVS"="9/22/2015 11:24 AM, 3380 bytes, A    In the existing folder C:\Windows\Tasks       Adds the file HEIRLJ1.job"="9/22/2015 11:25 AM, 364 bytes, A       Adds the file UFEYWUUVKOTJLEVS.job"="9/22/2015 11:24 AM, 370 bytes, HARegistry details  ------------------------------------------    [HKEY_LOCAL_MACHINE\SOFTWARE\{4FF668A0-BFB3-45DB-AB78-FCDA8055FED1}]       "Install_Dir"="REG_SZ", "C:\ProgramData\CoffeeFeed"    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures]       "HEIRLJ1.job"="REG_BINARY, ................................       "HEIRLJ1.job.fp"="REG_DWORD", -185848008       "UFEYWUUVKOTJLEVS.job"="REG_BINARY, .........R......................       "UFEYWUUVKOTJLEVS.job.fp"="REG_DWORD", 2016211833    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]       "AppInit_DLLs"=REG_SZ, "C:\ProgramData\CoffeeFeed\CoffeeFeed64.dll "    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\{4FF668A0-BFB3-45DB-AB78-FCDA8055FED1}]       "Install_Dir"="REG_SZ", "C:\ProgramData\CoffeeFeed"    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CoffeeFeed]       "DisplayName"="REG_SZ", "CoffeeFeed"       "UninstallString"="REG_SZ", "C:\ProgramData\CoffeeFeed\uninstall.exe"    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows       "AppInit_DLLs"=REG_SZ, "C:\ProgramData\CoffeeFeed\CoffeeFeed32.dll "    [HKEY_CURRENT_USER\Software\{3BDFD1D7-7A9B-4D29-80B3-D00E66E62885}]       "022f28070de7c71f34882fcf43cd"="REG_SZ", "0"       "02cbace2b6ade4db71d27dcedb2f"="REG_SZ", "1"       "083317d911d8412ba9c4fb8e745c"="REG_SZ", "1"       "0f0960765c0836a0a7f1ed5bf93a"="REG_SZ", "180"       "26d6cf88a0879ed0e6e93f60afda"="REG_SZ", "0"       "499bb7167375a6d2591f291712e8"="REG_SZ", "0"       "810255a94c0e2bd6e8cd9d433c39"="REG_SZ", "0"       "955c0cf4e804f93def4e57b726c9"="REG_SZ", "0"       "ae1106b9bc9c912d82def63c83aa"="REG_SZ", "1"       "ba0d13e5410f923ed80b0db6a6e4"="REG_SZ", "0"       "db732d7745eea9dad117e71fce5e"="REG_SZ", "1440"       "f260a464675e443affc458683cb4"="REG_SZ", "0"

Malwarebytes Anti-Malware log:

Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 9/22/2015Scan Time: 11:39 AMLogfile: mbamCoffeeFeed.txtAdministrator: YesVersion: 2.1.8.1057Malware Database: v2015.09.22.04Rootkit Database: v2015.09.18.01License: PremiumMalware Protection: DisabledMalicious Website Protection: EnabledSelf-protection: DisabledOS: Windows 8.1CPU: x64File System: NTFSUser: {username}Scan Type: Threat ScanResult: CompletedObjects Scanned: 351590Time Elapsed: 31 min, 45 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 2PUP.Optional.CoffeeFee, C:\ProgramData\CoffeeFeed\CoffeeFeed.exe, 4836, Delete-on-Reboot, [915b131fd2b9c175e951974c07fad030]PUP.Optional.CoffeeFee, C:\ProgramData\CoffeeFeed\CoffeeFeed.exe, 1624, Delete-on-Reboot, [915b131fd2b9c175e951974c07fad030]Modules: 0(No malicious items detected)Registry Keys: 2PUP.Optional.CoffeeFeed, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\HEIRLJ1, Delete-on-Reboot, [c92390a219722016971e93405ea61be5], PUP.Optional.CoffeeFeed, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CoffeeFeed, Quarantined, [b6365ed4aae147ef03c22808976cb64a], Registry Values: 0(No malicious items detected)Registry Data: 2PUP.Optional.CoffeeFee, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|AppInit_DLLs, C:\ProgramData\CoffeeFeed\CoffeeFeed64.dll , Good: (), Bad: (C:\ProgramData\CoffeeFeed\CoffeeFeed64.dll),Replaced,[20cc240eccbf9e988ab08063ef12718f]PUP.Optional.CoffeeFee, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|AppInit_DLLs, C:\ProgramData\CoffeeFeed\CoffeeFeed32.dll , Good: (), Bad: (C:\ProgramData\CoffeeFeed\CoffeeFeed32.dll),Replaced,[3eae171b2566cb6b48f20fd49d643dc3]Folders: 2PUP.Optional.WombatService, C:\ProgramData\Service5191, Quarantined, [806c3cf6e0ab3cfac015715723e17090], PUP.Optional.CoffeeFeed, C:\ProgramData\CoffeeFeed, Delete-on-Reboot, [b6365ed4aae147ef03c22808976cb64a], Files: 13PUP.Optional.CoffeeFee, C:\ProgramData\CoffeeFeed\CoffeeFeed.exe, Delete-on-Reboot, [915b131fd2b9c175e951974c07fad030], PUP.Optional.CoffeeFee, C:\ProgramData\CoffeeFeed\CoffeeFeed64.dll, Quarantined, [20cc240eccbf9e988ab08063ef12718f], PUP.Optional.CoffeeFee, C:\ProgramData\CoffeeFeed\CoffeeFeed32.dll, Quarantined, [3eae171b2566cb6b48f20fd49d643dc3], PUP.Optional.CoffeeFee, C:\ProgramData\CoffeeFeed\NSISHelper.dll, Quarantined, [38b491a1d4b7152150ea6e75bf42cb35], PUP.Optional.CoffeeFeed, C:\Users\{username}\Desktop\CoffeeFeed.exe, Quarantined, [b8345bd72269fb3b1a551c8e2ad8f010], PUP.Optional.CoffeeFee, C:\Users\{username}\AppData\Local\Temp\nsqA91B.tmp\NSISHelper.dll, Quarantined, [eb01b280e0ab45f187b3e3003bc6bb45], PUP.Optional.WombatService, C:\ProgramData\Service5191\Service5191.exe, Quarantined, [806c3cf6e0ab3cfac015715723e17090], PUP.Optional.CoffeeFeed, C:\Users\Public\Desktop\CoffeeFeed.lnk, Quarantined, [698343ef1675e05620923f94da2a2ed2], PUP.Optional.CoffeeFeed, C:\Windows\System32\Tasks\HEIRLJ1, Quarantined, [9d4f11216c1f81b5f5be16bd689c1fe1], PUP.Optional.CoffeeFeed, C:\Windows\Tasks\HEIRLJ1.job, Quarantined, [23c9151d7e0d6dc9a113924147bdfe02], PUP.Optional.CoffeeFeed, C:\ProgramData\CoffeeFeed\coffee.ico, Quarantined, [b6365ed4aae147ef03c22808976cb64a], PUP.Optional.CoffeeFeed, C:\ProgramData\CoffeeFeed\install.log, Quarantined, [b6365ed4aae147ef03c22808976cb64a], PUP.Optional.CoffeeFeed, C:\ProgramData\CoffeeFeed\uninstall.exe, Quarantined, [b6365ed4aae147ef03c22808976cb64a], Physical Sectors: 0(No malicious items detected)(end)

As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.

We use different ways of protecting your computer(s):

• Dynamically Blocks Malware Sites & Servers
• Malware Execution Prevention

Save yourself the hassle and get protected.