Jump to content

Recommended Posts

  • Staff

What is WikiNow?

The Malwarebytes research team has determined that WikiNow is a potentially unwanted program that behaves like adware. These adware applications display advertisements not originating from the sites you are browsing.

How do I know if my computer is affected by WikiNow?

This is the main screen of the program:

main.png

You may see these warnings during install:

warning1.png

warning2.png

warning3.png

and this entry in your list of installed Programs and Features:

warning4.png

How did WikiNow get on my computer?

Adware applications use different methods for distributing themselves. This particular one was downloaded from their website:

website.png

How do I remove WikiNow?

Our program Malwarebytes can detect and remove this adware program.

  • Please download Malwarebytes for Windows to your desktop.
  • Double-click MBSetup.exe and follow the prompts to install the program.
  • When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen.
  • Click on the Get started button.
  • Click Scan to start a Threat Scan.
  • When the scan is finished click Quarantine to remove the found threats.
  • Reboot the system if prompted to complete the removal process.

Is there anything else I need to do to get rid of WikiNow?

  • No, Malwarebytes removes WikiNow completely.

How would the full version of Malwarebytes help protect me?

We hope our application and this guide have helped you eradicate this adware.

As you can see below the full version of Malwarebytes would have protected you against the WikiNow adware. It would have blocked the installer before it became too late.


 

protection1.png

 

and it would have blocked access to their domain:
 

protection2.png

 

Technical details for experts

Possible signs in FRST logs:

 

(WikiNow -> WikiNow) [File not signed] C:\Users\{username}\AppData\Roaming\WikiNow\WikiNow.exe <3>
HKLM-x32\...\Run: [WikiNow] => C:\Users\{username}\AppData\Roaming\WikiNow\WikiNow.exe [4576296 2020-11-05] (WikiNow -> WikiNow) [File not signed]
C:\Users\{username}\AppData\Local\WikiNow
C:\Users\{username}\AppData\Roaming\WikiNow
C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WikiNow

WikiNow - WikiNow for Desktop (HKLM-x32\...\WikiNow) (Version: 16.2011.1acwk - WikiNow)
(WikiNow -> ) [File not signed] C:\Users\{username}\AppData\Roaming\WikiNow\ffmpeg.dll
(WikiNow -> ) [File not signed] C:\Users\{username}\AppData\Roaming\WikiNow\node.dll
(WikiNow -> The NWJS Community) [File not signed] C:\Users\{username}\AppData\Roaming\WikiNow\nw.dll
(WikiNow -> The NWJS Community) [File not signed] C:\Users\{username}\AppData\Roaming\WikiNow\nw_elf.dll

Significant changes made by the installer:

File system details [View: All details] (Selection)
---------------------------------------------------
    In the existing folder C:\Downloads
       Adds the file WikiNow.16.2011.1acwk.exe"="12/20/2020 1:56 PM, 48377192 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\WikiNow\User Data
       Adds the file First Run"="12/20/2020 1:58 PM, 0 bytes, A
       Adds the file Local State"="12/20/2020 1:58 PM, 1537 bytes, A
       Adds the file lockfile"="12/20/2020 1:58 PM, 0 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\WikiNow\User Data\Default
       Adds the file Cookies"="12/20/2020 2:01 PM, 17408 bytes, A
       Adds the file Cookies-journal"="12/20/2020 2:01 PM, 0 bytes, A
       Adds the file Favicons"="12/20/2020 1:58 PM, 20480 bytes, A
       Adds the file Favicons-journal"="12/20/2020 1:58 PM, 0 bytes, A
       Adds the file History"="12/20/2020 1:58 PM, 94208 bytes, A
       Adds the file History-journal"="12/20/2020 1:58 PM, 0 bytes, A
       Adds the file Login Data"="12/20/2020 1:58 PM, 18432 bytes, A
       Adds the file Login Data-journal"="12/20/2020 1:58 PM, 0 bytes, A
       Adds the file Network Persistent State"="12/20/2020 1:58 PM, 40 bytes, A
       Adds the file Origin Bound Certs"="12/20/2020 1:58 PM, 5120 bytes, A
       Adds the file Origin Bound Certs-journal"="12/20/2020 1:58 PM, 0 bytes, A
       Adds the file Preferences"="12/20/2020 2:02 PM, 1702 bytes, A
       Adds the file QuotaManager"="12/20/2020 1:59 PM, 15360 bytes, A
       Adds the file QuotaManager-journal"="12/20/2020 1:59 PM, 0 bytes, A
       Adds the file README"="12/20/2020 1:58 PM, 162 bytes, A
       Adds the file Secure Preferences"="12/20/2020 1:58 PM, 4490 bytes, A
       Adds the file Top Sites"="12/20/2020 1:58 PM, 20480 bytes, A
       Adds the file Top Sites-journal"="12/20/2020 1:58 PM, 0 bytes, A
       Adds the file TransportSecurity"="12/20/2020 2:03 PM, 1905 bytes, A
       Adds the file Visited Links"="12/20/2020 1:58 PM, 0 bytes, A
       Adds the file Web Data"="12/20/2020 1:58 PM, 59392 bytes, A
       Adds the file Web Data-journal"="12/20/2020 1:58 PM, 0 bytes, A
       Adds the file WebRTCIdentityStore"="12/20/2020 2:01 PM, 4096 bytes, A
       Adds the file WebRTCIdentityStore-journal"="12/20/2020 2:01 PM, 0 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\WikiNow\User Data\Default\Cache
       Adds the file data_0"="12/20/2020 1:58 PM, 45056 bytes, A
       Adds the file data_1"="12/20/2020 1:58 PM, 270336 bytes, A
       Adds the file data_2"="12/20/2020 1:58 PM, 1056768 bytes, A
       Adds the file data_3"="12/20/2020 1:58 PM, 4202496 bytes, A
       Adds the file f_000001"="12/20/2020 1:58 PM, 59428 bytes, A
       Adds the file f_000016"="12/20/2020 2:01 PM, 18916 bytes, A
       Adds the file index"="12/20/2020 1:58 PM, 262512 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\WikiNow\User Data\Default\data_reduction_proxy_leveldb
       Adds the file 000003.log"="12/20/2020 1:58 PM, 0 bytes, A
       Adds the file CURRENT"="12/20/2020 1:58 PM, 16 bytes, A
       Adds the file LOCK"="12/20/2020 1:58 PM, 0 bytes, A
       Adds the file LOG"="12/20/2020 1:58 PM, 0 bytes, A
       Adds the file MANIFEST-000001"="12/20/2020 1:58 PM, 41 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\WikiNow\User Data\Default\databases
       Adds the file Databases.db"="12/20/2020 1:58 PM, 7168 bytes, A
       Adds the file Databases.db-journal"="12/20/2020 1:58 PM, 0 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\WikiNow\User Data\Default\databases\chrome-extension_pmbjdlnofemiebodamiigbdkhlhknjpp_0
       Adds the file 1"="12/20/2020 1:58 PM, 16384 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\WikiNow\User Data\Default\Extension Rules
       Adds the file 000003.log"="12/20/2020 1:58 PM, 0 bytes, A
       Adds the file CURRENT"="12/20/2020 1:58 PM, 16 bytes, A
       Adds the file LOCK"="12/20/2020 1:58 PM, 0 bytes, A
       Adds the file LOG"="12/20/2020 1:58 PM, 0 bytes, A
       Adds the file MANIFEST-000001"="12/20/2020 1:58 PM, 41 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\WikiNow\User Data\Default\Extension State
       Adds the file 000003.log"="12/20/2020 1:58 PM, 0 bytes, A
       Adds the file CURRENT"="12/20/2020 1:58 PM, 16 bytes, A
       Adds the file LOCK"="12/20/2020 1:58 PM, 0 bytes, A
       Adds the file LOG"="12/20/2020 1:58 PM, 0 bytes, A
       Adds the file MANIFEST-000001"="12/20/2020 1:58 PM, 41 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\WikiNow\User Data\Default\File System\000\t
       Adds the file .usage"="12/20/2020 1:58 PM, 24 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\WikiNow\User Data\Default\File System\000\t\Paths
       Adds the file 000003.log"="12/20/2020 1:58 PM, 0 bytes, A
       Adds the file CURRENT"="12/20/2020 1:58 PM, 16 bytes, A
       Adds the file LOCK"="12/20/2020 1:58 PM, 0 bytes, A
       Adds the file LOG"="12/20/2020 1:58 PM, 0 bytes, A
       Adds the file MANIFEST-000001"="12/20/2020 1:58 PM, 41 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\WikiNow\User Data\Default\File System\001\t
    Adds the folder C:\Users\{username}\AppData\Local\WikiNow\User Data\Default\File System\Origins
       Adds the file 000003.log"="12/20/2020 1:58 PM, 0 bytes, A
       Adds the file CURRENT"="12/20/2020 1:58 PM, 16 bytes, A
       Adds the file LOCK"="12/20/2020 1:58 PM, 0 bytes, A
       Adds the file LOG"="12/20/2020 1:58 PM, 0 bytes, A
       Adds the file MANIFEST-000001"="12/20/2020 1:58 PM, 41 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\WikiNow\User Data\Default\GPUCache
       Adds the file data_0"="12/20/2020 1:58 PM, 8192 bytes, A
       Adds the file data_1"="12/20/2020 1:58 PM, 270336 bytes, A
       Adds the file data_2"="12/20/2020 1:58 PM, 8192 bytes, A
       Adds the file data_3"="12/20/2020 1:58 PM, 8192 bytes, A
       Adds the file index"="12/20/2020 1:58 PM, 262512 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\WikiNow\User Data\Default\Local Storage
       Adds the file chrome-extension_pmbjdlnofemiebodamiigbdkhlhknjpp_0.localstorage"="12/20/2020 2:01 PM, 646144 bytes, A
       Adds the file chrome-extension_pmbjdlnofemiebodamiigbdkhlhknjpp_0.localstorage-journal"="12/20/2020 2:01 PM, 0 bytes, A
       Adds the file https_en.wiki2.org_0.localstorage"="12/20/2020 2:01 PM, 1855488 bytes, A
       Adds the file https_en.wiki2.org_0.localstorage-journal"="12/20/2020 2:01 PM, 0 bytes, A
       Adds the file https_wiki2.org_0.localstorage"="12/20/2020 2:01 PM, 5120 bytes, A
       Adds the file https_wiki2.org_0.localstorage-journal"="12/20/2020 2:01 PM, 0 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\WikiNow\User Data\Default\Session Storage
       Adds the file 000003.log"="12/20/2020 1:58 PM, 0 bytes, A
       Adds the file CURRENT"="12/20/2020 1:58 PM, 16 bytes, A
       Adds the file LOCK"="12/20/2020 1:58 PM, 0 bytes, A
       Adds the file LOG"="12/20/2020 1:58 PM, 0 bytes, A
       Adds the file MANIFEST-000001"="12/20/2020 1:58 PM, 41 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\WikiNow\User Data\Default\Thumbnails
       Adds the file 000003.log"="12/20/2020 1:58 PM, 0 bytes, A
       Adds the file CURRENT"="12/20/2020 1:58 PM, 16 bytes, A
       Adds the file LOCK"="12/20/2020 1:58 PM, 0 bytes, A
       Adds the file LOG"="12/20/2020 1:58 PM, 0 bytes, A
       Adds the file MANIFEST-000001"="12/20/2020 1:58 PM, 41 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\WikiNow\User Data\Default\Web Applications\_crx_pmbjdlnofemiebodamiigbdkhlhknjpp
       Adds the file WikiNow.ico"="12/20/2020 1:58 PM, 189361 bytes, A
       Adds the file WikiNow.ico.md5"="12/20/2020 1:58 PM, 16 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\WikiNow\User Data\ShaderCache\GPUCache
       Adds the file data_0"="12/20/2020 1:58 PM, 8192 bytes, A
       Adds the file data_1"="12/20/2020 1:58 PM, 270336 bytes, A
       Adds the file data_2"="12/20/2020 1:58 PM, 8192 bytes, A
       Adds the file data_3"="12/20/2020 1:58 PM, 8192 bytes, A
       Adds the file index"="12/20/2020 1:58 PM, 262512 bytes, A
    Adds the folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WikiNow
       Adds the file Uninstall.lnk"="12/20/2020 1:57 PM, 1837 bytes, A
       Adds the file WikiNow.lnk"="12/20/2020 1:57 PM, 1821 bytes, A
    Adds the folder C:\Users\{username}\AppData\Roaming\WikiNow
       Adds the file d3dcompiler_47.dll"="11/5/2020 10:08 AM, 3670864 bytes, A
       Adds the file ffmpeg.dll"="11/5/2020 10:08 AM, 1943888 bytes, A
       Adds the file icudtl.dat"="9/5/2019 3:32 PM, 10127152 bytes, A
       Adds the file libEGL.dll"="11/5/2020 10:08 AM, 83792 bytes, A
       Adds the file libGLESv2.dll"="11/5/2020 10:08 AM, 1743696 bytes, A
       Adds the file natives_blob.bin"="9/5/2019 3:32 PM, 415756 bytes, A
       Adds the file node.dll"="11/5/2020 10:08 AM, 3384144 bytes, A
       Adds the file nw.dll"="11/5/2020 10:08 AM, 60787024 bytes, A
       Adds the file nw_100_percent.pak"="9/5/2019 3:32 PM, 614590 bytes, A
       Adds the file nw_200_percent.pak"="9/5/2019 3:32 PM, 933426 bytes, A
       Adds the file nw_elf.dll"="11/5/2020 10:08 AM, 126800 bytes, A
       Adds the file resources.pak"="9/5/2019 3:32 PM, 7807631 bytes, A
       Adds the file snapshot_blob.bin"="9/5/2019 3:32 PM, 518036 bytes, A
       Adds the file storage.json"="12/20/2020 1:57 PM, 80 bytes, A
       Adds the file Uninstall.exe"="12/20/2020 1:57 PM, 431621 bytes, A
       Adds the file WikiNow.exe"="11/5/2020 10:08 AM, 4576296 bytes, A
    Adds the folder C:\Users\{username}\AppData\Roaming\WikiNow\locales
    In the existing folder C:\Users\{username}\Desktop
       Adds the file WikiNow.16.2011.1acwk.exe"="12/20/2020 1:56 PM, 48377192 bytes, A

Registry details [View: All details] (Selection)
------------------------------------------------
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
       "WikiNow"="REG_SZ", "C:\Users\{username}\AppData\Roaming\WikiNow\WikiNow.exe --su"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WikiNow]
       "DisplayIcon"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\WikiNow\Uninstall.exe""
       "DisplayName"="REG_SZ", "WikiNow - WikiNow for Desktop"
       "DisplayVersion"="REG_SZ", "16.2011.1acwk"
       "EstimatedSize"="REG_DWORD", 111346
       "Publisher"="REG_SZ", "WikiNow"
       "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\WikiNow\Uninstall.exe""
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\QWAVEdrv\Enum]
       "0"="REG_SZ", "Root\LEGACY_QWAVEDRV\0000"
       "Count"="REG_DWORD", 1
       "NextInstance"="REG_DWORD", 1
    [HKEY_CURRENT_USER\Software\AppDataLow\Software\WikiNow]
       "uid"="REG_SZ", "51978453-B275-4844-A65A-6A55CA26DE1B"

Malwarebytes log:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 12/23/20
Scan Time: 9:13 AM
Log File: bd74eb1e-44f6-11eb-8546-080027235d76.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1130
Update Package Version: 1.0.34655
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {computername}\{username}

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 232841
Threats Detected: 18
Threats Quarantined: 17
Time Elapsed: 3 min, 27 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 3
PUP.Optional.WikiNow, C:\USERS\{username}\APPDATA\ROAMING\WIKINOW\WIKINOW.EXE, Quarantined, 16846, 891996, , , , , 2D41237FD89646D92843307A3C822ACD, 3C9E877019910F4C8758E46168431356C8A5E37C11BDB766F81CA732616F9F88
PUP.Optional.WikiNow, C:\USERS\{username}\APPDATA\ROAMING\WIKINOW\WIKINOW.EXE, Quarantined, 16846, 891996, , , , , 2D41237FD89646D92843307A3C822ACD, 3C9E877019910F4C8758E46168431356C8A5E37C11BDB766F81CA732616F9F88
PUP.Optional.WikiNow, C:\USERS\{username}\APPDATA\ROAMING\WIKINOW\WIKINOW.EXE, Quarantined, 16846, 891996, , , , , 2D41237FD89646D92843307A3C822ACD, 3C9E877019910F4C8758E46168431356C8A5E37C11BDB766F81CA732616F9F88

Module: 6
PUP.Optional.WikiNow, C:\USERS\{username}\APPDATA\ROAMING\WIKINOW\WIKINOW.EXE, Quarantined, 16846, 891996, , , , , 2D41237FD89646D92843307A3C822ACD, 3C9E877019910F4C8758E46168431356C8A5E37C11BDB766F81CA732616F9F88
PUP.Optional.WikiNow, C:\USERS\{username}\APPDATA\ROAMING\WIKINOW\WIKINOW.EXE, Quarantined, 16846, 891996, , , , , 2D41237FD89646D92843307A3C822ACD, 3C9E877019910F4C8758E46168431356C8A5E37C11BDB766F81CA732616F9F88
PUP.Optional.WikiNow, C:\USERS\{username}\APPDATA\ROAMING\WIKINOW\WIKINOW.EXE, Quarantined, 16846, 891996, , , , , 2D41237FD89646D92843307A3C822ACD, 3C9E877019910F4C8758E46168431356C8A5E37C11BDB766F81CA732616F9F88
PUP.Optional.WikiNow, C:\USERS\{username}\APPDATA\ROAMING\WIKINOW\NW_ELF.DLL, Quarantined, 16846, 891999, , , , , C00AD23CF2F47F3BB87009B6B619C03C, EDBFDCD80D9D077FC78CE619AB8F4983AEDA373AB7678D08E2026D5CA1BC940A
PUP.Optional.WikiNow, C:\USERS\{username}\APPDATA\ROAMING\WIKINOW\NW_ELF.DLL, Quarantined, 16846, 891999, , , , , C00AD23CF2F47F3BB87009B6B619C03C, EDBFDCD80D9D077FC78CE619AB8F4983AEDA373AB7678D08E2026D5CA1BC940A
PUP.Optional.WikiNow, C:\USERS\{username}\APPDATA\ROAMING\WIKINOW\NW_ELF.DLL, Quarantined, 16846, 891999, , , , , C00AD23CF2F47F3BB87009B6B619C03C, EDBFDCD80D9D077FC78CE619AB8F4983AEDA373AB7678D08E2026D5CA1BC940A

Registry Key: 1
PUP.Optional.WikiNow, HKCU\SOFTWARE\APPDATALOW\SOFTWARE\WikiNow, Quarantined, 16846, 892000, 1.0.34655, , ame, , , 

Registry Value: 1
PUP.Optional.WikiNow, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|WikiNow, Quarantined, 16846, 891996, , , , , , 

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 3
PUP.Optional.WikiNow, C:\USERS\{username}\APPDATA\LOCAL\WIKINOW, Removal Failed, 16846, 891997, 1.0.34655, , ame, , , 
PUP.Optional.WikiNow, C:\USERS\{username}\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\WIKINOW, Quarantined, 16846, 891998, 1.0.34655, , ame, , , 
PUP.Optional.WikiNow, C:\USERS\{username}\APPDATA\ROAMING\WIKINOW, Quarantined, 16846, 891999, 1.0.34655, , ame, , , 

File: 4
PUP.Optional.WikiNow, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WikiNow\Uninstall.lnk, Quarantined, 16846, 891998, , , , , E966994CE3DD4B54FBA154EC2CAB84BA, B4AF85F7E8702B9E71D1BBA5FCB221149651AD2B60E33FAF2514670F6586802D
PUP.Optional.WikiNow, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WikiNow\WikiNow.lnk, Quarantined, 16846, 891998, , , , , 674192A92F4AC2D4432E012E91276BA7, 7B05E8EABB049F0EF3A38DB76EE3EF8C582C6E95C031C6D4A45DD5F95B1D13FE
PUP.Optional.WikiNow, C:\USERS\{username}\APPDATA\ROAMING\WIKINOW\WIKINOW.EXE, Quarantined, 16846, 891996, 1.0.34655, , ame, , 2D41237FD89646D92843307A3C822ACD, 3C9E877019910F4C8758E46168431356C8A5E37C11BDB766F81CA732616F9F88
PUP.Optional.WikiNow, C:\USERS\{username}\APPDATA\ROAMING\WIKINOW\NW_ELF.DLL, Quarantined, 16846, 891999, 1.0.34655, 0000000000000000000003E9, dds, 01040122, C00AD23CF2F47F3BB87009B6B619C03C, EDBFDCD80D9D077FC78CE619AB8F4983AEDA373AB7678D08E2026D5CA1BC940A

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

As mentioned before the full version of Malwarebytes could have protected your computer against this threat.
We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention

Save yourself the hassle and get protected.

Link to post
Share on other sites
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.