Jump to content
Sign in to follow this  
Metallica

Removal instructions for CoffeeFeed

Recommended Posts

What is CoffeeFeed?

The Malwarebytes research team has determined that CoffeeFeed is adware. These adware applications display advertisements not originating from the sites you are browsing.

How do I know if my computer is affected by CoffeeFeed?

You may see this entry in your list of installed programs:

warning4.png

and these Scheduled Tasks:

warning3.png

and this icon on your Desktop :

icons.png

that opens this site:

main.png

How did CoffeeFeed get on my computer?

Adware applications use different methods for distributing themselves. This particular one was bundled with other software.

How do I remove CoffeeFeed?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.

  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-version.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to the following:
    • Enable free trial of Malwarebytes Anti-Malware Premium
    • Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • If an update is found, you will be prompted to download and install the latest version.
  • Once the program has loaded, select Scan now. Or select the Threat Scan from the Scan menu.
  • When the scan is complete , make sure that everything is set to "Quarantine", and click Apply Actions.
  • Reboot your computer if prompted.
Is there anything else I need to do to get rid of CoffeeFeed?
  • No, Malwarebytes' Anti-Malware removes CoffeeFeed completely.
  • This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks.
How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this adware application.

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the CoffeeFeed adware. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late.

protection1.png

Technical details for experts

You will see these signs in a HijackThis log:

O20 - AppInit_DLLs: C:\ProgramData\CoffeeFeed\CoffeeFeed32.dll 
You may see these signs in FRST logs:

 (CoffeeFeed) C:\ProgramData\CoffeeFeed\CoffeeFeed.exe AppInit_DLLs: C:\ProgramData\CoffeeFeed\CoffeeFeed64.dll => C:\ProgramData\CoffeeFeed\CoffeeFeed64.dll [988160 2015-09-09] (CoffeeFeed) AppInit_DLLs-x32: C:\ProgramData\CoffeeFeed\CoffeeFeed32.dll => C:\ProgramData\CoffeeFeed\CoffeeFeed32.dll [753664 2015-09-09] (CoffeeFeed) C:\Windows\Tasks\UFEYWUUVKOTJLEVS.job C:\Windows\Tasks\HEIRLJ1.job C:\Windows\System32\Tasks\UFEYWUUVKOTJLEVS C:\Windows\System32\Tasks\HEIRLJ1 C:\Users\Public\Desktop\CoffeeFeed.lnk C:\ProgramData\Service5191 C:\ProgramData\CoffeeFeed C:\ProgramData\12db864551ae4c578eb17db1a9f5d3cfCoffeeFeed (HKLM-x32\...\CoffeeFeed) (Version:  - )Task: {0725EF9C-B117-4C5F-86FF-CE874583F53E} - System32\Tasks\HEIRLJ1 => C:\ProgramData\CoffeeFeed\CoffeeFeed.exe [2015-09-09] (CoffeeFeed) <==== ATTENTIONTask: {12570E7F-A457-4CBF-9535-D9AC81E05122} - System32\Tasks\UFEYWUUVKOTJLEVS => C:\ProgramData\Service5191\Service5191.exe [2015-09-22] () <==== ATTENTIONTask: C:\Windows\Tasks\HEIRLJ1.job => C:\ProgramData\CoffeeFeed\CoffeeFeed.exe <==== ATTENTIONTask: C:\Windows\Tasks\UFEYWUUVKOTJLEVS.job => C:\ProgramData\Service5191\Service5191.exe <==== ATTENTION
Alterations made by the installer:

File system details  ---------------------------------------------    Adds the folder C:\ProgramData\12db864551ae4c578eb17db1a9f5d3cf       Adds the file 982ae10af1c5431d91b53ba95916fee9"="9/22/2015 11:24 AM, 27840 bytes, A    Adds the folder C:\ProgramData\CoffeeFeed       Adds the file coffee.ico"="8/30/2015 2:48 PM, 2350 bytes, A       Adds the file CoffeeFeed.exe"="9/9/2015 8:28 PM, 799232 bytes, A       Adds the file CoffeeFeed32.dll"="9/9/2015 8:29 PM, 753664 bytes, A       Adds the file CoffeeFeed64.dll"="9/9/2015 8:27 PM, 988160 bytes, A       Adds the file install.log"="9/22/2015 11:24 AM, 84 bytes, A       Adds the file NSISHelper.dll"="9/9/2015 8:29 PM, 479232 bytes, A       Adds the file uninstall.exe"="9/22/2015 11:24 AM, 302391 bytes, A    Adds the folder C:\ProgramData\Service5191       Adds the file Service5191.exe"="9/22/2015 11:24 AM, 437248 bytes, A    In the existing folder C:\Windows\System32\Tasks       Adds the file HEIRLJ1"="9/22/2015 11:24 AM, 2878 bytes, A       Adds the file UFEYWUUVKOTJLEVS"="9/22/2015 11:24 AM, 3380 bytes, A    In the existing folder C:\Windows\Tasks       Adds the file HEIRLJ1.job"="9/22/2015 11:25 AM, 364 bytes, A       Adds the file UFEYWUUVKOTJLEVS.job"="9/22/2015 11:24 AM, 370 bytes, HARegistry details  ------------------------------------------    [HKEY_LOCAL_MACHINE\SOFTWARE\{4FF668A0-BFB3-45DB-AB78-FCDA8055FED1}]       "Install_Dir"="REG_SZ", "C:\ProgramData\CoffeeFeed"    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures]       "HEIRLJ1.job"="REG_BINARY, ................................       "HEIRLJ1.job.fp"="REG_DWORD", -185848008       "UFEYWUUVKOTJLEVS.job"="REG_BINARY, .........R......................       "UFEYWUUVKOTJLEVS.job.fp"="REG_DWORD", 2016211833    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]       "AppInit_DLLs"=REG_SZ, "C:\ProgramData\CoffeeFeed\CoffeeFeed64.dll "    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\{4FF668A0-BFB3-45DB-AB78-FCDA8055FED1}]       "Install_Dir"="REG_SZ", "C:\ProgramData\CoffeeFeed"    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CoffeeFeed]       "DisplayName"="REG_SZ", "CoffeeFeed"       "UninstallString"="REG_SZ", "C:\ProgramData\CoffeeFeed\uninstall.exe"    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows       "AppInit_DLLs"=REG_SZ, "C:\ProgramData\CoffeeFeed\CoffeeFeed32.dll "    [HKEY_CURRENT_USER\Software\{3BDFD1D7-7A9B-4D29-80B3-D00E66E62885}]       "022f28070de7c71f34882fcf43cd"="REG_SZ", "0"       "02cbace2b6ade4db71d27dcedb2f"="REG_SZ", "1"       "083317d911d8412ba9c4fb8e745c"="REG_SZ", "1"       "0f0960765c0836a0a7f1ed5bf93a"="REG_SZ", "180"       "26d6cf88a0879ed0e6e93f60afda"="REG_SZ", "0"       "499bb7167375a6d2591f291712e8"="REG_SZ", "0"       "810255a94c0e2bd6e8cd9d433c39"="REG_SZ", "0"       "955c0cf4e804f93def4e57b726c9"="REG_SZ", "0"       "ae1106b9bc9c912d82def63c83aa"="REG_SZ", "1"       "ba0d13e5410f923ed80b0db6a6e4"="REG_SZ", "0"       "db732d7745eea9dad117e71fce5e"="REG_SZ", "1440"       "f260a464675e443affc458683cb4"="REG_SZ", "0"
Malwarebytes Anti-Malware log:

Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 9/22/2015Scan Time: 11:39 AMLogfile: mbamCoffeeFeed.txtAdministrator: YesVersion: 2.1.8.1057Malware Database: v2015.09.22.04Rootkit Database: v2015.09.18.01License: PremiumMalware Protection: DisabledMalicious Website Protection: EnabledSelf-protection: DisabledOS: Windows 8.1CPU: x64File System: NTFSUser: {username}Scan Type: Threat ScanResult: CompletedObjects Scanned: 351590Time Elapsed: 31 min, 45 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 2PUP.Optional.CoffeeFee, C:\ProgramData\CoffeeFeed\CoffeeFeed.exe, 4836, Delete-on-Reboot, [915b131fd2b9c175e951974c07fad030]PUP.Optional.CoffeeFee, C:\ProgramData\CoffeeFeed\CoffeeFeed.exe, 1624, Delete-on-Reboot, [915b131fd2b9c175e951974c07fad030]Modules: 0(No malicious items detected)Registry Keys: 2PUP.Optional.CoffeeFeed, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\HEIRLJ1, Delete-on-Reboot, [c92390a219722016971e93405ea61be5], PUP.Optional.CoffeeFeed, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CoffeeFeed, Quarantined, [b6365ed4aae147ef03c22808976cb64a], Registry Values: 0(No malicious items detected)Registry Data: 2PUP.Optional.CoffeeFee, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|AppInit_DLLs, C:\ProgramData\CoffeeFeed\CoffeeFeed64.dll , Good: (), Bad: (C:\ProgramData\CoffeeFeed\CoffeeFeed64.dll),Replaced,[20cc240eccbf9e988ab08063ef12718f]PUP.Optional.CoffeeFee, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|AppInit_DLLs, C:\ProgramData\CoffeeFeed\CoffeeFeed32.dll , Good: (), Bad: (C:\ProgramData\CoffeeFeed\CoffeeFeed32.dll),Replaced,[3eae171b2566cb6b48f20fd49d643dc3]Folders: 2PUP.Optional.WombatService, C:\ProgramData\Service5191, Quarantined, [806c3cf6e0ab3cfac015715723e17090], PUP.Optional.CoffeeFeed, C:\ProgramData\CoffeeFeed, Delete-on-Reboot, [b6365ed4aae147ef03c22808976cb64a], Files: 13PUP.Optional.CoffeeFee, C:\ProgramData\CoffeeFeed\CoffeeFeed.exe, Delete-on-Reboot, [915b131fd2b9c175e951974c07fad030], PUP.Optional.CoffeeFee, C:\ProgramData\CoffeeFeed\CoffeeFeed64.dll, Quarantined, [20cc240eccbf9e988ab08063ef12718f], PUP.Optional.CoffeeFee, C:\ProgramData\CoffeeFeed\CoffeeFeed32.dll, Quarantined, [3eae171b2566cb6b48f20fd49d643dc3], PUP.Optional.CoffeeFee, C:\ProgramData\CoffeeFeed\NSISHelper.dll, Quarantined, [38b491a1d4b7152150ea6e75bf42cb35], PUP.Optional.CoffeeFeed, C:\Users\{username}\Desktop\CoffeeFeed.exe, Quarantined, [b8345bd72269fb3b1a551c8e2ad8f010], PUP.Optional.CoffeeFee, C:\Users\{username}\AppData\Local\Temp\nsqA91B.tmp\NSISHelper.dll, Quarantined, [eb01b280e0ab45f187b3e3003bc6bb45], PUP.Optional.WombatService, C:\ProgramData\Service5191\Service5191.exe, Quarantined, [806c3cf6e0ab3cfac015715723e17090], PUP.Optional.CoffeeFeed, C:\Users\Public\Desktop\CoffeeFeed.lnk, Quarantined, [698343ef1675e05620923f94da2a2ed2], PUP.Optional.CoffeeFeed, C:\Windows\System32\Tasks\HEIRLJ1, Quarantined, [9d4f11216c1f81b5f5be16bd689c1fe1], PUP.Optional.CoffeeFeed, C:\Windows\Tasks\HEIRLJ1.job, Quarantined, [23c9151d7e0d6dc9a113924147bdfe02], PUP.Optional.CoffeeFeed, C:\ProgramData\CoffeeFeed\coffee.ico, Quarantined, [b6365ed4aae147ef03c22808976cb64a], PUP.Optional.CoffeeFeed, C:\ProgramData\CoffeeFeed\install.log, Quarantined, [b6365ed4aae147ef03c22808976cb64a], PUP.Optional.CoffeeFeed, C:\ProgramData\CoffeeFeed\uninstall.exe, Quarantined, [b6365ed4aae147ef03c22808976cb64a], Physical Sectors: 0(No malicious items detected)(end)
As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.