Metallica

Moderators
  • Content count

    1,590
  • Joined

  • Last visited

About Metallica

  • Rank
    Forum Deity
  • Birthday 05/19/1963

Contact Methods

  • ICQ
    0

Profile Information

  • Location
    Netherlands

Recent Profile Visitors

151,166 profile views
  1. What is MediaPlayAir? The Malwarebytes research team has determined that MediaPlayAir is adware. These adware applications display advertisements not originating from the sites you are browsing. How do I know if my computer is affected by MediaPlayAir? You may see this entry in your list of installed programs: and this icon on your desktop and in your taskbar and startmenu: and this warning during install: This is the main window of the potentially unwanted program: How did MediaPlayAir get on my computer? Adware applications use different methods for distributing themselves. This particular one was bundled with other software. How do I remove MediaPlayAir? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of MediaPlayAir? No, Malwarebytes' Anti-Malware removes MediaPlayAir completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this adware. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the MediaPlayAir adware. It would have warned you before the adware could install itself, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: (ironSource) C:\Program Files (x86)\MediaPlayAir\MediaPlayAir.exe C:\Users\Public\Desktop\MediaPlayAir.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MediaPlayAir C:\Program Files (x86)\MediaPlayAir MediaPlayAir (HKLM-x32\...\{4F44DC3F-AE62-4AB1-114B-BB223C512F9B}_is1) (Version: 1.0.0.0 - MediaPlayAir) () C:\Program Files (x86)\MediaPlayAir\Libraries\libvlccore.dll () C:\Program Files (x86)\MediaPlayAir\Libraries\libvlc.dll () C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_output\libaout_directx_plugin.dll () C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_output\libwaveout_plugin.dll Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\MediaPlayAir Adds the file MediaPlayAir.Core.dll"="1/21/2016 7:33 AM, 44544 bytes, A Adds the file MediaPlayAir.Core.Interops.dll"="1/21/2016 7:33 AM, 94720 bytes, A Adds the file MediaPlayAir.exe"="1/21/2016 7:48 AM, 1499648 bytes, A Adds the file MediaPlayAir.Wpf.dll"="1/21/2016 7:33 AM, 36352 bytes, A Adds the file unins000.dat"="9/23/2016 9:40 AM, 23409 bytes, A Adds the file unins000.exe"="9/23/2016 9:39 AM, 719521 bytes, A Adds the folder C:\Program Files (x86)\MediaPlayAir\Libraries Adds the file axvlc.dll"="11/25/2015 9:59 AM, 416256 bytes, A Adds the file axvlc.dll.manifest"="11/25/2015 9:59 AM, 304 bytes, A Adds the file libvlc.dll"="11/25/2015 9:59 AM, 111104 bytes, A Adds the file libvlccore.dll"="11/25/2015 9:59 AM, 2285056 bytes, A Adds the file npvlc.dll"="11/25/2015 9:59 AM, 305152 bytes, A Adds the file npvlc.dll.manifest"="11/25/2015 9:59 AM, 304 bytes, A Adds the folder C:\Program Files (x86)\MediaPlayAir\Libraries\plugins Adds the file plugins.dat"="9/23/2016 9:41 AM, 41062 bytes, A Adds the folder C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\access Adds the file libfilesystem_plugin.dll"="11/25/2015 9:59 AM, 43520 bytes, A Adds the folder C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\access_output Adds the file libaccess_output_file_plugin.dll"="11/25/2015 9:59 AM, 35840 bytes, A Adds the folder C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_filter Adds the file liba52tofloat32_plugin.dll"="11/25/2015 9:59 AM, 69120 bytes, A Adds the file liba52tospdif_plugin.dll"="11/25/2015 9:59 AM, 34816 bytes, A Adds the file libaudio_format_plugin.dll"="11/25/2015 9:59 AM, 45568 bytes, A Adds the file libaudiobargraph_a_plugin.dll"="11/25/2015 9:59 AM, 41472 bytes, A Adds the file libchorus_flanger_plugin.dll"="11/25/2015 9:59 AM, 39424 bytes, A Adds the file libcompressor_plugin.dll"="11/25/2015 9:59 AM, 42496 bytes, A Adds the file libconverter_fixed_plugin.dll"="11/25/2015 9:59 AM, 36864 bytes, A Adds the file libdolby_surround_decoder_plugin.dll"="11/25/2015 9:59 AM, 36352 bytes, A Adds the file libdtstofloat32_plugin.dll"="11/25/2015 9:59 AM, 182272 bytes, A Adds the file libdtstospdif_plugin.dll"="11/25/2015 9:59 AM, 36864 bytes, A Adds the file libequalizer_plugin.dll"="11/25/2015 9:59 AM, 46592 bytes, A Adds the file libheadphone_channel_mixer_plugin.dll"="11/25/2015 9:59 AM, 41472 bytes, A Adds the file libkaraoke_plugin.dll"="11/25/2015 9:59 AM, 34304 bytes, A Adds the file libmono_plugin.dll"="11/25/2015 9:59 AM, 42496 bytes, A Adds the file libmpgatofixed32_plugin.dll"="11/25/2015 9:59 AM, 135168 bytes, A Adds the file libnormvol_plugin.dll"="11/25/2015 9:59 AM, 37376 bytes, A Adds the file libparam_eq_plugin.dll"="11/25/2015 9:59 AM, 38912 bytes, A Adds the file libsamplerate_plugin.dll"="11/25/2015 9:59 AM, 1518080 bytes, A Adds the file libscaletempo_plugin.dll"="11/25/2015 9:59 AM, 40960 bytes, A Adds the file libsimple_channel_mixer_plugin.dll"="11/25/2015 9:59 AM, 38400 bytes, A Adds the file libspatializer_plugin.dll"="11/25/2015 9:59 AM, 107520 bytes, A Adds the file libspeex_resampler_plugin.dll"="11/25/2015 9:59 AM, 46592 bytes, A Adds the file libtrivial_channel_mixer_plugin.dll"="11/25/2015 9:59 AM, 36352 bytes, A Adds the file libugly_resampler_plugin.dll"="11/25/2015 9:59 AM, 35328 bytes, A Adds the folder C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_mixer Adds the file libfixed32_mixer_plugin.dll"="11/25/2015 9:59 AM, 34816 bytes, A Adds the file libfloat32_mixer_plugin.dll"="11/25/2015 9:59 AM, 33792 bytes, A Adds the folder C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_output Adds the file libaout_directx_plugin.dll"="11/25/2015 9:59 AM, 49664 bytes, A Adds the file libwaveout_plugin.dll"="11/25/2015 9:59 AM, 51200 bytes, A Adds the folder C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\codec Adds the file libavcodec_plugin.dll"="11/25/2015 9:59 AM, 9532416 bytes, A Adds the folder C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\video_filter Adds the file libswscale_plugin.dll"="11/25/2015 9:59 AM, 370688 bytes, A Adds the folder C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\video_output Adds the file libvmem_plugin.dll"="11/25/2015 9:59 AM, 38912 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MediaPlayAir Adds the file MediaPlayAir.lnk"="9/23/2016 9:40 AM, 1173 bytes, A In the existing folder C:\Users\{username}\Desktop Adds the file MediaPlayAir.exe"="9/23/2016 9:38 AM, 5933558 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file MediaPlayAir.lnk"="9/23/2016 9:40 AM, 1155 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4F44DC3F-AE62-4AB1-114B-BB223C512F9B}_is1] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\MediaPlayAir\MediaPlayAir.exe" "DisplayName"="REG_SZ", "MediaPlayAir" "DisplayVersion"="REG_SZ", "1.0.0.0" "EstimatedSize"="REG_DWORD", 18064 "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\MediaPlayAir" "Inno Setup: Deselected Tasks"="REG_SZ", "" "Inno Setup: Icon Group"="REG_SZ", "MediaPlayAir" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Selected Tasks"="REG_SZ", "desktopicon" "Inno Setup: Setup Version"="REG_SZ", "5.5.5 (a)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20160923" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\MediaPlayAir\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "MediaPlayAir" "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\MediaPlayAir\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\MediaPlayAir\unins000.exe"" Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 9/23/2016 Scan Time: 9:52 AM Logfile: mbamMediaPlayAir.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.09.23.03 Rootkit Database: v2016.08.15.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 321781 Time Elapsed: 8 min, 43 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 1 PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\MediaPlayAir.exe, 2804, Delete-on-Reboot, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b] Modules: 7 PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\MediaPlayAir.Core.dll, Delete-on-Reboot, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\MediaPlayAir.Core.Interops.dll, Delete-on-Reboot, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\MediaPlayAir.Wpf.dll, Delete-on-Reboot, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\libvlc.dll, Delete-on-Reboot, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\libvlccore.dll, Delete-on-Reboot, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_output\libaout_directx_plugin.dll, Delete-on-Reboot, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_output\libwaveout_plugin.dll, Delete-on-Reboot, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], Registry Keys: 1 PUP.Optional.MediaPlayAir, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{4F44DC3F-AE62-4AB1-114B-BB223C512F9B}_is1, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 12 PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir, Delete-on-Reboot, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries, Delete-on-Reboot, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins, Delete-on-Reboot, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\access, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\access_output, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_filter, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_mixer, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_output, Delete-on-Reboot, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\codec, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\video_filter, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\video_output, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MediaPlayAir, Quarantined, [5936c3b2e5b5f442909bf0c1c73dfc04], Files: 49 PUP.Optional.InstallCore, C:\Users\{username}\Desktop\MediaPlayAir.exe, Quarantined, [147b2c494a50f5418c9fba22ed149b65], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\unins000.dat, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\MediaPlayAir.Core.dll, Delete-on-Reboot, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\MediaPlayAir.Core.Interops.dll, Delete-on-Reboot, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\MediaPlayAir.exe, Delete-on-Reboot, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\MediaPlayAir.Wpf.dll, Delete-on-Reboot, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\unins000.exe, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\axvlc.dll, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\axvlc.dll.manifest, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\libvlc.dll, Delete-on-Reboot, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\libvlccore.dll, Delete-on-Reboot, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\npvlc.dll, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\npvlc.dll.manifest, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\plugins.dat, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\access\libfilesystem_plugin.dll, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\access_output\libaccess_output_file_plugin.dll, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_filter\liba52tofloat32_plugin.dll, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_filter\liba52tospdif_plugin.dll, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_filter\libaudiobargraph_a_plugin.dll, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_filter\libaudio_format_plugin.dll, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_filter\libchorus_flanger_plugin.dll, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_filter\libcompressor_plugin.dll, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_filter\libconverter_fixed_plugin.dll, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_filter\libdolby_surround_decoder_plugin.dll, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_filter\libdtstofloat32_plugin.dll, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_filter\libdtstospdif_plugin.dll, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_filter\libequalizer_plugin.dll, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_filter\libheadphone_channel_mixer_plugin.dll, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_filter\libkaraoke_plugin.dll, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_filter\libmono_plugin.dll, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_filter\libmpgatofixed32_plugin.dll, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_filter\libnormvol_plugin.dll, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_filter\libparam_eq_plugin.dll, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_filter\libsamplerate_plugin.dll, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_filter\libscaletempo_plugin.dll, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_filter\libsimple_channel_mixer_plugin.dll, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_filter\libspatializer_plugin.dll, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_filter\libspeex_resampler_plugin.dll, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_filter\libugly_resampler_plugin.dll, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_mixer\libfixed32_mixer_plugin.dll, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_mixer\libfloat32_mixer_plugin.dll, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_output\libaout_directx_plugin.dll, Delete-on-Reboot, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\audio_output\libwaveout_plugin.dll, Delete-on-Reboot, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\codec\libavcodec_plugin.dll, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\video_filter\libswscale_plugin.dll, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\Program Files (x86)\MediaPlayAir\Libraries\plugins\video_output\libvmem_plugin.dll, Quarantined, [a6e9b6bf3f5b5fd79491b2ff7a8ac53b], PUP.Optional.MediaPlayAir, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MediaPlayAir\MediaPlayAir.lnk, Quarantined, [5936c3b2e5b5f442909bf0c1c73dfc04], PUP.Optional.MediaPlayAir, C:\Users\Public\Desktop\MediaPlayAir.lnk, Quarantined, [0c833540d4c6ec4ad9539c15f50f06fa], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  2. What is MyPC Backup? The Malwarebytes research team has determined that MyPC Backup is nagware. This one typically gets bundled with other software or promoted heavily through dubious advertisers. Once installed it keeps reminding the user to register the full version. How do I know if I am infected with MyPC Backup? This is how the main screen of the unregistered version of the application looks: You will find these icons in your taskbar and on your desktop: and you may see this entry in your list of installed programs: and this task in your Task Scheduler: How did MyPC Backup get on my computer? These so-called registry cleaners use different methods of getting installed. This particular one was bundled by other software. How do I remove MyPC Backup? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of MyPC Backup? No, Malwarebytes' Anti-Malware removes MyPC Backup completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this nagware. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the MyPC Backup installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for experts You may see these entries in FRST logs: () C:\Program Files (x86)\OLBPre\OLBPre.exe Startup: C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk [2016-09-22] ShortcutTarget: MyPC Backup.lnk -> C:\Program Files (x86)\OLBPre\OLBPre.exe () C:\Windows\System32\Tasks\LaunchPreSignup C:\Users\{username}\Desktop\MyPC Backup.lnk C:\Program Files (x86)\OLBPre MyPC Backup (HKLM\...\OLBPre) (Version: - MyPC Backup) <==== ATTENTION Task: {33A0B791-213F-48AD-AC7D-989EE32023B7} - System32\Tasks\LaunchPreSignup => C:\Program Files (x86)\OLBPre\OLBPre.exe [2016-01-03] () <==== ATTENTION () C:\Program Files (x86)\OLBPre\OLBPre.exe () C:\Program Files (x86)\OLBPre\LinqBridge.dll Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\OLBPre Adds the file brand.jdat"="1/3/2016 7:55 PM, 520181 bytes, A Adds the file de_DE.mo"="1/3/2016 7:54 PM, 66304 bytes, A Adds the file es_ES.mo"="1/3/2016 7:54 PM, 66926 bytes, A Adds the file fr_FR.mo"="1/3/2016 7:54 PM, 67831 bytes, A Adds the file it_IT.mo"="1/3/2016 7:54 PM, 61983 bytes, A Adds the file LinqBridge.dll"="1/3/2016 7:54 PM, 60928 bytes, A Adds the file OLBPre.exe"="1/3/2016 7:55 PM, 2474496 bytes, A Adds the file OLBPre.exe.config"="1/3/2016 7:54 PM, 203 bytes, A Adds the file pt_PT.mo"="1/3/2016 7:54 PM, 65761 bytes, A Adds the file state.jdat"="9/22/2016 10:02 AM, 373 bytes, A Adds the file uninst.exe"="9/22/2016 10:02 AM, 426822 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup Adds the file MyPC Backup.lnk"="9/22/2016 10:02 AM, 1029 bytes, A In the existing folder C:\Users\{username}\Desktop Adds the file MyPC Backup.lnk"="9/22/2016 10:02 AM, 1863 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file LaunchPreSignup"="9/22/2016 10:02 AM, 4000 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OLBPre] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\OLBPre\uninst.exe" "DisplayName"="REG_SZ", "MyPC Backup " "DisplayVersion"="REG_SZ", "" "HelpLink"="REG_SZ", "http://support.mypcbackup.com" "Publisher"="REG_SZ", "MyPC Backup" "UninstallString"="REG_SZ", "C:\Program Files (x86)\OLBPre\uninst.exe" "URLInfoAbout"="REG_SZ", "http://www.mypcbackup.com" Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 9/22/2016 Scan Time: 11:12 AM Logfile: mbamMyPCBackup.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.09.22.07 Rootkit Database: v2016.08.15.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 321533 Time Elapsed: 8 min, 44 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 1 PUP.Optional.MyPCBackup, C:\Program Files (x86)\OLBPre\OLBPre.exe, 2632, Delete-on-Reboot, [0f202b4aecaef2443ad9fc94e21fce32] Modules: 0 (No malicious items detected) Registry Keys: 3 PUP.Optional.MyPCBackup, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\OLBPre, Quarantined, [50dfacc9e0ba85b13fc96fddce364bb5], PUP.Optional.MyPCBackup, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{33A0B791-213F-48AD-AC7D-989EE32023B7}, Delete-on-Reboot, [41ee066fb4e6181ef873529dd23157a9], PUP.Optional.MyPCBackup, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\LaunchPreSignup, Delete-on-Reboot, [45ead79eebaf92a40ed0aefe9370d62a], Registry Values: 2 PUP.Optional.MyPCBackup, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{33A0B791-213F-48AD-AC7D-989EE32023B7}|Path, \LaunchPreSignup, Delete-on-Reboot, [41ee066fb4e6181ef873529dd23157a9] PUP.Optional.MyPCBackup, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\OLBPRE|DisplayName, MyPC Backup , Quarantined, [3bf480f59ffb73c3a79ace142fd435cb] Registry Data: 0 (No malicious items detected) Folders: 1 PUP.Optional.PreBackup, C:\Program Files (x86)\OLBPre, Delete-on-Reboot, [8ea10c69d0ca3cfa073a8a26cb3820e0], Files: 15 PUP.Optional.MyPCBackup, C:\Program Files (x86)\OLBPre\OLBPre.exe, Delete-on-Reboot, [0f202b4aecaef2443ad9fc94e21fce32], PUP.Optional.MyPCBackup, C:\Users\{username}\Desktop\setup.exe, Quarantined, [d55a6312653501356ca7cfc1976aa55b], PUP.Optional.MyPCBackup, C:\Program Files (x86)\OLBPre\uninst.exe, Quarantined, [50dfacc9e0ba85b13fc96fddce364bb5], PUP.Optional.MyPCBackup, C:\Users\{username}\Desktop\MyPC Backup.lnk, Quarantined, [44eb0a6b9bff1d19e5f4ddcf2cd77d83], PUP.Optional.MyPCBackup, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk, Quarantined, [2609d3a27b1f76c0f4e76349db28a957], PUP.Optional.MyPCBackup, C:\Windows\System32\Tasks\LaunchPreSignup, Quarantined, [9e910f663f5b4fe7c01c7d2f2fd450b0], PUP.Optional.PreBackup, C:\Program Files (x86)\OLBPre\OLBPre.exe.config, Quarantined, [8ea10c69d0ca3cfa073a8a26cb3820e0], PUP.Optional.PreBackup, C:\Program Files (x86)\OLBPre\brand.jdat, Quarantined, [8ea10c69d0ca3cfa073a8a26cb3820e0], PUP.Optional.PreBackup, C:\Program Files (x86)\OLBPre\de_DE.mo, Quarantined, [8ea10c69d0ca3cfa073a8a26cb3820e0], PUP.Optional.PreBackup, C:\Program Files (x86)\OLBPre\es_ES.mo, Quarantined, [8ea10c69d0ca3cfa073a8a26cb3820e0], PUP.Optional.PreBackup, C:\Program Files (x86)\OLBPre\fr_FR.mo, Quarantined, [8ea10c69d0ca3cfa073a8a26cb3820e0], PUP.Optional.PreBackup, C:\Program Files (x86)\OLBPre\it_IT.mo, Quarantined, [8ea10c69d0ca3cfa073a8a26cb3820e0], PUP.Optional.PreBackup, C:\Program Files (x86)\OLBPre\LinqBridge.dll, Delete-on-Reboot, [8ea10c69d0ca3cfa073a8a26cb3820e0], PUP.Optional.PreBackup, C:\Program Files (x86)\OLBPre\pt_PT.mo, Quarantined, [8ea10c69d0ca3cfa073a8a26cb3820e0], PUP.Optional.PreBackup, C:\Program Files (x86)\OLBPre\state.jdat, Quarantined, [8ea10c69d0ca3cfa073a8a26cb3820e0], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  3. What is Window User Manager? The Malwarebytes research team has determined that Window User Manager is adware. These adware applications display advertisements not originating from the sites you are browsing. How do I know if my computer is affected by Window User Manager? You may see this entry in your list of installed programs: How did Window User Manager get on my computer? Adware applications use different methods for distributing themselves. This particular one was bundled with other software. How do I remove Window User Manager? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Window User Manager? No, Malwarebytes' Anti-Malware removes Window User Manager completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this adware. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Window User Manager adware. It would have warned you before the adware could install itself, giving you a chance to stop it before it became too late. The web protection module also blocks some of the connections the installer tries to make: Technical details for experts Possible signs in FRST logs: (FLC Soft) C:\Program Files (x86)\winuse\WinUserSync.exe (FLC Soft) C:\Program Files (x86)\winuse\WinUserSync_.exe (FLC Soft) C:\Program Files (x86)\winuse\WinUse_.exe (FLC Soft) C:\Program Files (x86)\winuse\WinUse.exe R2 WinUseSvc; C:\Program Files (x86)\winuse\WinUserSync.exe [134656 2016-09-19] (FLC Soft) [File not signed] R2 WinUseSvc2; C:\Program Files (x86)\winuse\WinUserSync_.exe [128512 2016-09-19] (FLC Soft) [File not signed] C:\Program Files (x86)\winuse Window User Manager (HKLM-x32\...\Window User Manager) (Version: 1.72 - FLC Soft) () C:\Program Files (x86)\WinUse\libcef.dll Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\winuse Adds the file cef.pak"="6/20/2016 8:37 AM, 2749972 bytes, A Adds the file cef_100_percent.pak"="6/20/2016 8:37 AM, 146067 bytes, A Adds the file cef_200_percent.pak"="6/20/2016 8:37 AM, 235262 bytes, A Adds the file cef_extensions.pak"="6/20/2016 8:37 AM, 4409164 bytes, A Adds the file d3dcompiler_43.dll"="6/20/2016 8:37 AM, 2106216 bytes, A Adds the file d3dcompiler_47.dll"="6/20/2016 8:37 AM, 3709120 bytes, A Adds the file devtools_resources.pak"="6/20/2016 8:37 AM, 4740603 bytes, A Adds the file icudtl.dat"="6/20/2016 8:37 AM, 10127152 bytes, A Adds the file libcef.dll"="6/20/2016 8:37 AM, 52043776 bytes, A Adds the file libcurl.dll"="10/27/2014 6:11 PM, 1358336 bytes, A Adds the file libEGL.dll"="6/20/2016 8:37 AM, 80384 bytes, A Adds the file libGLESv2.dll"="6/20/2016 8:37 AM, 1734656 bytes, A Adds the file log4cplusU.dll"="1/14/2015 11:55 AM, 386560 bytes, A Adds the file msvcp120.dll"="11/24/2014 9:23 AM, 455328 bytes, A Adds the file msvcr120.dll"="11/24/2014 9:23 AM, 970912 bytes, A Adds the file natives_blob.bin"="6/20/2016 8:37 AM, 415490 bytes, A Adds the file snapshot_blob.bin"="6/20/2016 8:37 AM, 517972 bytes, A Adds the file Uninstall.exe"="9/20/2016 10:45 AM, 189958 bytes, A Adds the file widevinecdmadapter.dll"="6/20/2016 8:37 AM, 212992 bytes, A Adds the file WinUse.exe"="9/19/2016 7:53 PM, 680448 bytes, A Adds the file WinUse_.exe"="9/19/2016 7:35 PM, 662528 bytes, A Adds the file WinUserSync.exe"="9/19/2016 4:34 PM, 134656 bytes, A Adds the file WinUserSync_.exe"="9/19/2016 4:37 PM, 128512 bytes, A Adds the file winusertask.exe"="9/19/2016 4:27 PM, 1890304 bytes, A Adds the file winusertask_.exe"="9/19/2016 4:29 PM, 1822208 bytes, A Adds the file wow_helper.exe"="5/13/2016 9:59 AM, 67072 bytes, A Adds the folder C:\Program Files (x86)\winuse\che Adds the file Cookies"="9/20/2016 10:45 AM, 7168 bytes, A Adds the file Cookies-journal"="9/20/2016 10:45 AM, 0 bytes, A Adds the file data_0"="9/20/2016 10:45 AM, 45056 bytes, A Adds the file f_00001b"="9/20/2016 10:46 AM, 27658 bytes, A Adds the file index"="9/20/2016 10:45 AM, 262512 bytes, A Adds the file Visited Links"="9/20/2016 10:45 AM, 131072 bytes, A Adds the folder C:\Program Files (x86)\winuse\che\GPUCache Adds the file data_0"="9/20/2016 10:45 AM, 8192 bytes, A Adds the file index"="9/20/2016 10:45 AM, 262512 bytes, A Adds the folder C:\Program Files (x86)\winuse\che1 Adds the file Cookies"="9/20/2016 10:45 AM, 7168 bytes, A Adds the file Cookies-journal"="9/20/2016 10:45 AM, 0 bytes, A Adds the file data_0"="9/20/2016 10:45 AM, 45056 bytes, A Adds the file f_000018"="9/20/2016 10:46 AM, 71508 bytes, A Adds the file index"="9/20/2016 10:45 AM, 262512 bytes, A Adds the file Visited Links"="9/20/2016 10:45 AM, 131072 bytes, A Adds the folder C:\Program Files (x86)\winuse\che1\GPUCache Adds the file data_0"="9/20/2016 10:45 AM, 8192 bytes, A Adds the file data_1"="9/20/2016 10:45 AM, 270336 bytes, A Adds the file data_2"="9/20/2016 10:45 AM, 8192 bytes, A Adds the file data_3"="9/20/2016 10:45 AM, 8192 bytes, A Adds the file index"="9/20/2016 10:45 AM, 262512 bytes, A Adds the folder C:\Program Files (x86)\winuse\locales Adds the folder C:\Program Files (x86)\winuse\plugins Adds the file pepflashplayer.dll"="6/30/2016 3:25 AM, 31555776 bytes, A Adds the folder C:\Program Files (x86)\winuse\Update Adds the folder C:\Users\{username}\AppData\Local\CEF\User Data\Dictionaries Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\okwinuse] "ID"="REG_SZ"", "3D02DFE1-1DFE-4E12-8766-5B8D7B480922" "InstallAMID"="REG_SZ"", "" "InstallSID"="REG_SZ"", "" "Version"="REG_SZ"", "172" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Window User Manager] "DisplayName"="REG_SZ"", "Window User Manager" "DisplayVersion"="REG_SZ"", "1.72" "EstimatedSize"="REG_DWORD"", 94776 "InstallDate"="REG_SZ"", "20150920" "Publisher"="REG_SZ"", "FLC Soft" "UninstallString"="REG_SZ"", ""C:\Program Files (x86)\winuse\uninstall.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\okwinuse] "ID"="REG_SZ"", "3D02DFE1-1DFE-4E12-8766-5B8D7B480922" "InstallAMID"="REG_SZ"", "0" "InstallDate"="REG_SZ"", "20.09.2016 10:45" "InstallSID"="REG_SZ"", "" "restart1"="REG_SZ"", "1" "restart2"="REG_SZ"", "1" "Success"="REG_SZ"", "1" "Version"="REG_SZ"", "172" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinUseSvc] "DisplayName"="REG_SZ"", "Window User Manager" "ErrorControl"="REG_DWORD"", 1 "ImagePath"="REG_EXPAND_SZ, "C:\Program Files (x86)\winuse\WinUserSync.exe" "ObjectName"="REG_SZ"", "LocalSystem" "Start"="REG_DWORD"", 2 "Type"="REG_DWORD"", 16 "WOW64"="REG_DWORD"", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinUseSvc2] "DisplayName"="REG_SZ"", "Window User Manager2" "ErrorControl"="REG_DWORD"", 1 "ImagePath"="REG_EXPAND_SZ, "C:\Program Files (x86)\winuse\WinUserSync_.exe" "ObjectName"="REG_SZ"", "LocalSystem" "Start"="REG_DWORD"", 2 "Type"="REG_DWORD"", 16 "WOW64"="REG_DWORD"", 1 [HKEY_CURRENT_USER\Software\winmnt] "Success"="REG_SZ"", "1" Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 9/21/2016 Scan Time: 9:22 AM Logfile: mbamWindowUserManager.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.09.21.04 Rootkit Database: v2016.08.15.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 321774 Time Elapsed: 10 min, 3 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 6 PUP.Optional.WinUse, C:\Program Files (x86)\winuse\WinUse.exe, 3140, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d] PUP.Optional.WinUse, C:\Program Files (x86)\winuse\WinUse.exe, 2652, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d] PUP.Optional.WinUse, C:\Program Files (x86)\winuse\WinUserSync.exe, 3496, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d] PUP.Optional.WinUse, C:\Program Files (x86)\winuse\WinUserSync_.exe, 1408, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d] PUP.Optional.WinUse, C:\Program Files (x86)\winuse\WinUse_.exe, 3952, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d] PUP.Optional.WinUse, C:\Program Files (x86)\winuse\WinUse_.exe, 3992, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d] Modules: 9 PUP.Optional.WinUse, C:\Program Files (x86)\winuse\libcef.dll, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\libcef.dll, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\libcef.dll, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\libcef.dll, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\libcurl.dll, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\libcurl.dll, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\libcurl.dll, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\libcurl.dll, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\libcurl.dll, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d], Registry Keys: 5 PUP.Optional.WinUse, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Window User Manager, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WinUseSvc, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WinUseSvc2, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, HKLM\SOFTWARE\OKWINUSE, Quarantined, [9b2d95df1a80f1456eb41bd9798b8d73], PUP.Optional.WinUse, HKLM\SOFTWARE\WOW6432NODE\OKWINUSE, Quarantined, [3a8ea3d17822ae885bc7c52f9c682fd1], Registry Values: 3 PUP.Optional.WinUse, HKLM\SOFTWARE\OKWINUSE|Version, 172, Quarantined, [9b2d95df1a80f1456eb41bd9798b8d73] PUP.Optional.WinUse, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WINDOW USER MANAGER|UninstallString, "C:\Program Files (x86)\winuse\uninstall.exe", Quarantined, [83455b194654ba7c74a952a2e81c837d] PUP.Optional.WinUse, HKLM\SOFTWARE\WOW6432NODE\OKWINUSE|Version, 172, Quarantined, [3a8ea3d17822ae885bc7c52f9c682fd1] Registry Data: 0 (No malicious items detected) Folders: 8 PUP.Optional.WinUse, C:\Program Files (x86)\winuse, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\GPUCache, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che1, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che1\GPUCache, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\plugins, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\Update, Quarantined, [4385165ef6a431050712aa4a24e0f30d], Files: 179 PUP.Optional.WinUse, C:\Users\{username}\Desktop\install.exe, Quarantined, [4d7bb6be97039a9c46c36094cd3711ef], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\libcef.dll, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\libGLESv2.dll, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\cef.pak, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\cef_100_percent.pak, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\cef_200_percent.pak, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\cef_extensions.pak, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\d3dcompiler_43.dll, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\d3dcompiler_47.dll, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\devtools_resources.pak, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\icudtl.dat, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\libcurl.dll, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\libEGL.dll, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\log4cplusU.dll, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\msvcp120.dll, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\msvcr120.dll, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\natives_blob.bin, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\snapshot_blob.bin, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\Uninstall.exe, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\widevinecdmadapter.dll, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\WinUse.exe, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\WinUserSync.exe, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\WinUserSync_.exe, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\winusertask.exe, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\winusertask_.exe, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\WinUse_.exe, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\wow_helper.exe, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_00000d, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000021, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\Cookies, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\Cookies-journal, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\data_0, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\data_1, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\data_2, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\data_3, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000001, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000002, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000003, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000004, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000005, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000006, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000007, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000008, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000009, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_00000a, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_00000b, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_00000c, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_00000e, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_00000f, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000010, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000011, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000012, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000013, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000014, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000015, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000016, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000017, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000018, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000019, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_00001a, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_00001b, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_00001c, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_00001d, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_00001e, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_00001f, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000020, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000022, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000023, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000024, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000025, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000026, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000027, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000028, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000029, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_00002a, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_00002b, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_00002c, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_00002d, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_00002e, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_00002f, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000030, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000031, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000032, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000033, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000034, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000035, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000036, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000037, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000038, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_000039, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\f_00003a, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\index, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\Visited Links, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\GPUCache\data_0, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\GPUCache\data_1, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\GPUCache\data_2, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\GPUCache\data_3, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che\GPUCache\index, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che1\Cookies, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che1\Cookies-journal, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che1\data_0, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che1\data_1, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che1\data_2, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che1\data_3, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che1\f_000001, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che1\f_000002, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che1\f_000003, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che1\f_000004, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che1\f_000005, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che1\f_000006, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che1\f_000007, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che1\f_000008, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che1\f_000009, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che1\f_00000a, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che1\f_00000b, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che1\f_00000c, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che1\f_00000d, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che1\f_00000e, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che1\index, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che1\Visited Links, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che1\GPUCache\data_0, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che1\GPUCache\data_1, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che1\GPUCache\data_2, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che1\GPUCache\data_3, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\che1\GPUCache\index, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\he.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\am.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\ar.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\bg.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\bn.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\ca.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\cs.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\da.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\de.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\el.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\en-GB.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\en-US.pak, Delete-on-Reboot, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\es-419.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\es.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\et.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\fa.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\fi.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\fil.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\fr.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\gu.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\hi.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\hr.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\hu.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\id.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\it.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\ja.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\kn.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\ko.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\lt.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\lv.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\ml.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\mr.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\ms.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\nb.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\nl.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\pl.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\pt-BR.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\pt-PT.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\ro.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\ru.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\sk.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\sl.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\sr.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\sv.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\sw.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\ta.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\te.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\th.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\tr.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\uk.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\vi.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\zh-CN.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\locales\zh-TW.pak, Quarantined, [4385165ef6a431050712aa4a24e0f30d], PUP.Optional.WinUse, C:\Program Files (x86)\winuse\plugins\pepflashplayer.dll, Quarantined, [4385165ef6a431050712aa4a24e0f30d], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  4. What is My Web Shield? The Malwarebytes research team has determined that My Web Shield is adware. These adware applications display advertisements not originating from the sites you are browsing. How do I know if my computer is affected by My Web Shield? You may see this entry in your list of installed programs: and these warnings during install: How did My Web Shield get on my computer? Adware applications use different methods for distributing themselves. This particular one was bundled with other software. How do I remove My Web Shield? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of My Web Shield? No, Malwarebytes' Anti-Malware removes My Web Shield completely. You may find a shortcut called "Manager" in your Startup folder. If this shortcut belongs to "My Web Shield" you can delete it. Since the file it points to no longer exists, it could cause an error. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this adware. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the My Web Shield adware. It would have warned you before the adware could install itself, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: S1 mwescontroller; \??\C:\Windows\system32\drivers\mwescontroller.sys [X] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Manager.lnk C:\Program Files\My Web Shield My Web Shield (HKLM\...\mweshield) (Version: 3.0 - My Web Shield) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\My Web Shield Adds the file mwesuninstall.exe"="9/19/2016 11:25 AM, 454992 bytes, A Adds the file My Web Shield.zip"="9/20/2016 11:45 AM, 3072486 bytes, A Adds the folder C:\Program Files\My Web Shield\nss In the existing folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs Adds the file Manager.lnk"="9/20/2016 11:45 AM, 637 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mweshield] "DisplayIcon"="REG_SZ", "C:\Program Files\My Web Shield\mwesuninstall.exe" "DisplayName"="REG_SZ", "My Web Shield" "DisplayVersion"="REG_SZ", "3.0" "EstimatedSize"="REG_DWORD", 6000 "InstallDate"="REG_SZ", "20160920" "Publisher"="REG_SZ", "My Web Shield" "UninstallString"="REG_SZ", "C:\Program Files\My Web Shield\mwesuninstall.exe uninst=1" [HKEY_LOCAL_MACHINE\SOFTWARE\mweshield] "campaignid"="REG_SZ", "0" "ff"="REG_SZ", "yes" "siteid"="REG_SZ", "0" "sourceid"="REG_SZ", "1" "userid"="REG_SZ", "719C153A-1768-4109-801A-7B56355940C4" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mwescontroller] "DisplayName"="REG_SZ", "mwescontroller" "ErrorControl"="REG_DWORD", 1 "Group"="REG_SZ", "PNP_TDI" "ImagePath"="REG_EXPAND_SZ, "\??\C:\Windows\system32\drivers\mwescontroller.sys" "Start"="REG_DWORD", 1 "Tag"="REG_DWORD", 9 "Type"="REG_DWORD", 1 "WOW64"="REG_DWORD", 1 Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 9/20/2016 Scan Time: 11:52 AM Logfile: mbamMyWebShield.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.09.20.04 Rootkit Database: v2016.08.15.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 321113 Time Elapsed: 8 min, 58 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 2 PUP.Optional.MyWebShield, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\mweshield, Quarantined, [75ef4e267d1d31056adec6ee9470f60a], PUP.Optional.MyWebShield, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\mwescontroller, Quarantined, [40248fe5c5d572c4bb65b73c32d243bd], Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 2 PUP.Optional.MyWebShield, C:\Program Files\My Web Shield, Quarantined, [184c83f19703191d9daaf0c414f005fb], PUP.Optional.MyWebShield, C:\Program Files\My Web Shield\nss, Quarantined, [184c83f19703191d9daaf0c414f005fb], Files: 3 PUP.Optional.MyWebShield, C:\Users\{username}\Desktop\MyWebShield.exe, Quarantined, [81e3b8bcd0cafb3b024607ad63a123dd], PUP.Optional.MyWebShield, C:\Program Files\My Web Shield\mwesuninstall.exe, Quarantined, [75ef4e267d1d31056adec6ee9470f60a], PUP.Optional.MyWebShield, C:\Program Files\My Web Shield\My Web Shield.zip, Quarantined, [184c83f19703191d9daaf0c414f005fb], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  5. What is nerta TSS? The Malwarebytes research team has determined that nerta TSS is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end. How do I know if my computer is affected by nerta TSS? You may see this task in your Task Scheduler: and this entry in your list of installed programs: How did nerta TSS get on my computer? Tech Support Scammers use different methods for distributing themselves. This particular one was bundled with other software. It installs files that will produce a fake Windows Activation screen with the Tech Support Scammers number. It can take a while before this actually happens, so you might be unaware of which install was the trigger. It shows this fake error screen on top of your other applications, constantly refreshing so it's hard to stop. How do I remove nerta TSS? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application. Due to the nature of the infection, you will need to stop the malware process from running. When confronted with the fake blue error screen, use the Ctrl-Alt-Del key combination and run Task Manager. In the list of processes find nerta.exe. Select the nerta.exe process and click on the End Process button. Now you should have access to your desktop and other programs. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of nerta TSS? No, Malwarebytes' Anti-Malware removes nerta TSS completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Tech Support Scam. Technical details for experts You may see these entries in FRST logs: () C:\Program Files (x86)\Stlr\nerta\nerta.exe () C:\Program Files (x86)\Stlr\nerta\nertacs.exe Startup: C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nerta.lnk [2016-09-19] ShortcutTarget: Nerta.lnk -> C:\Windows\System32\schtasks.exe (Microsoft Corporation) R2 nrtService; C:\Program Files (x86)\Stlr\nerta\nertacs.exe [12288 2016-08-16] () [File not signed] C:\Windows\System32\Tasks\nerta C:\Users\{username}\AppData\Roaming\st C:\Program Files (x86)\Stlr nerta (HKLM-x32\...\nerta) (Version: 2.1.2 - Stlr) Task: {0767AA60-4FDF-457C-9D2B-D132747A2416} - System32\Tasks\nerta => C:\Program Files (x86)\Stlr\nerta\nerta.exe [2016-08-29] () Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\Stlr\nerta Adds the file bto.ico"="8/12/2016 3:23 AM, 2462 bytes, A Adds the file Caliburn.Micro.dll"="8/9/2016 10:37 PM, 104448 bytes, A Adds the file Caliburn.Micro.pdb"="8/9/2016 10:37 PM, 296448 bytes, A Adds the file Caliburn.Micro.xml"="8/9/2016 10:37 PM, 141115 bytes, A Adds the file Comparers.dll"="4/17/2015 11:00 PM, 6144 bytes, A Adds the file Garlic.dll"="8/9/2016 10:38 PM, 15360 bytes, A Adds the file Garlic.pdb"="8/9/2016 10:38 PM, 40448 bytes, A Adds the file InstallUtil.InstallLog"="9/19/2016 10:46 AM, 632 bytes, A Adds the file Ionic.Zip.Reduced.dll"="7/14/2014 5:36 PM, 253440 bytes, A Adds the file LedControl.dll"="3/6/2012 7:14 PM, 13824 bytes, A Adds the file log.txt"="9/19/2016 10:46 AM, 743 bytes, A Adds the file LoggingControl.dll"="1/22/2016 12:26 AM, 34816 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="12/17/2015 3:24 AM, 185856 bytes, A Adds the file Microsoft.Windows.Shell.dll"="10/19/2010 9:00 PM, 167808 bytes, A Adds the file nerta.exe"="8/29/2016 12:41 PM, 30720 bytes, A Adds the file nerta.exe.config"="8/9/2016 3:09 AM, 588 bytes, A Adds the file nertacs.exe"="8/16/2016 4:00 AM, 12288 bytes, A Adds the file nertacs.exe.config"="12/11/2015 2:26 AM, 597 bytes, A Adds the file nertacs.InstallLog"="9/19/2016 10:46 AM, 645 bytes, A Adds the file nertacs.InstallState"="9/19/2016 10:46 AM, 7466 bytes, A Adds the file nertastarter.exe"="8/12/2016 6:12 AM, 6656 bytes, A Adds the file nertastarter.exe.config"="12/11/2015 2:27 AM, 174 bytes, A Adds the file Newtonsoft.Json.dll"="8/9/2016 10:37 PM, 489472 bytes, A Adds the file Newtonsoft.Json.xml"="8/9/2016 10:37 PM, 523221 bytes, A Adds the file nrtupdates.exe"="8/12/2016 6:11 AM, 11264 bytes, A Adds the file nrtupdates.exe.config"="3/11/2015 10:26 PM, 174 bytes, A Adds the file PDSA.Common.dll"="12/17/2015 3:24 AM, 9728 bytes, A Adds the file System.Windows.Interactivity.dll"="8/9/2016 10:37 PM, 39936 bytes, A Adds the file System.Windows.Interactivity.xml"="8/9/2016 10:37 PM, 62128 bytes, A Adds the file testwcf.exe"="8/12/2016 4:18 AM, 6656 bytes, A Adds the file testwcf.exe.config"="8/12/2016 3:59 AM, 174 bytes, A Adds the file UrlHistoryLibrary.dll"="2/3/2015 11:12 PM, 24576 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming Adds the file st"="9/19/2016 10:46 AM, 53 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup Adds the file Nerta.lnk"="9/19/2016 10:46 AM, 1825 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file nerta"="9/19/2016 10:46 AM, 3252 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\nerta_RASAPI32] "ConsoleTracingMask"="REG_DWORD", -65536 "EnableConsoleTracing"="REG_DWORD", 0 "EnableFileTracing"="REG_DWORD", 0 "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing" "FileTracingMask"="REG_DWORD", -65536 "MaxFileSize"="REG_DWORD", 1048576 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\nerta_RASMANCS] "ConsoleTracingMask"="REG_DWORD", -65536 "EnableConsoleTracing"="REG_DWORD", 0 "EnableFileTracing"="REG_DWORD", 0 "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing" "FileTracingMask"="REG_DWORD", -65536 "MaxFileSize"="REG_DWORD", 1048576 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\nerta] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\Stlr\nerta\Uninstall.exe" "DisplayName"="REG_SZ", "nerta" "DisplayVersion"="REG_SZ", "2.1.2" "EstimatedSize"="REG_DWORD", 2423 "InstallDate"="REG_SZ", "20160919" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\Stlr\nerta\" "InstallSource"="REG_SZ", "C:\Users\{username}\Desktop\" "Language"="REG_DWORD", 1033 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Stlr" "UninstallString"="REG_SZ", "C:\Program Files (x86)\Stlr\nerta\Uninstall.exe" "VersionMajor"="REG_DWORD", 2 "VersionMinor"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\nrtService] "EventMessageFile"="REG_EXPAND_SZ, "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EventLogMessages.dll" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\nrtService] "DelayedAutostart"="REG_DWORD", 0 "Description"="REG_SZ", "this will update the gas" "DisplayName"="REG_SZ", "Btior New" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, ""C:\Program Files (x86)\Stlr\nerta\nertacs.exe"" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 9/19/2016 Scan Time: 10:54 AM Logfile: mbamNerta.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.09.19.03 Rootkit Database: v2016.08.15.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 321010 Time Elapsed: 9 min, 46 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 2 Rogue.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\nerta.exe, 3184, Delete-on-Reboot, [4db2b6bd97039a9c4683608fcd3711ef] Rogue.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\nertacs.exe, 3360, Delete-on-Reboot, [08f7da993b5f280efad03ab54db7857b] Modules: 0 (No malicious items detected) Registry Keys: 4 Rogue.TechSupportScam, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\nrtService, Quarantined, [08f7da993b5f280efad03ab54db7857b], Trojan.TechSupportScam, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{0767AA60-4FDF-457C-9D2B-D132747A2416}, Delete-on-Reboot, [af50d79c9109ad8989a340af8b79a957], Trojan.TechSupportScam, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\nerta, Delete-on-Reboot, [a15e96dd1585c571af7edc130103a759], Trojan.TechSupportScam, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\nerta, Quarantined, [fc03b1c222784bebfc2ed21de222fa06], Registry Values: 1 Trojan.TechSupportScam, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{0767AA60-4FDF-457C-9D2B-D132747A2416}|Path, \nerta, Delete-on-Reboot, [af50d79c9109ad8989a340af8b79a957] Registry Data: 0 (No malicious items detected) Folders: 2 Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta, Delete-on-Reboot, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr, Delete-on-Reboot, [34cb7300f8a2b87ecd6430bf1ee64ab6], Files: 36 Rogue.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\nerta.exe, Quarantined, [4db2b6bd97039a9c4683608fcd3711ef], Rogue.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\nertacs.exe, Delete-on-Reboot, [08f7da993b5f280efad03ab54db7857b], Rogue.TechSupportScam, C:\Users\{username}\Desktop\Setup.exe, Quarantined, [c639adc6e1b95cda77540ce33acafa06], Trojan.TechSupportScam, C:\Windows\System32\Tasks\nerta, Quarantined, [19e611629efce55152dcf0fff70dd828], Trojan.TechSupportScam, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nerta.lnk, Quarantined, [35ca4c27f9a180b6df51c32caa5aea16], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\log.txt, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\bto.ico, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\Caliburn.Micro.dll, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\Caliburn.Micro.pdb, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\Caliburn.Micro.xml, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\Comparers.dll, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\Garlic.dll, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\Garlic.pdb, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\InstallUtil.InstallLog, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\Ionic.Zip.Reduced.dll, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\LedControl.dll, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\LoggingControl.dll, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\Microsoft.Win32.TaskScheduler.dll, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\Microsoft.Windows.Shell.dll, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\nerta.exe.config, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\nertacs.exe.config, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\nertacs.InstallLog, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\nertacs.InstallState, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\nertastarter.exe, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\nertastarter.exe.config, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\Newtonsoft.Json.dll, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\Newtonsoft.Json.xml, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\nrtupdates.exe, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\nrtupdates.exe.config, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\PDSA.Common.dll, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\System.Windows.Interactivity.dll, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\System.Windows.Interactivity.xml, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\testwcf.exe, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\testwcf.exe.config, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Trojan.TechSupportScam, C:\Program Files (x86)\Stlr\nerta\UrlHistoryLibrary.dll, Quarantined, [34cb7300f8a2b87ecd6430bf1ee64ab6], Rogue.TechSupportScam, C:\Users\{username}\AppData\Roaming\st, Quarantined, [08f7264dbedc45f168eb0ee208fc15eb], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  6. What is GoPCPro? The Malwarebytes research team has determined that GoPCPro is a fake system optimizer. These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems. More information can be found on our Malwarebytes Unpacked blog. How do I know if I am infected with GoPCPro? This is how the main screen of the registry cleaning application looks: You will see these warnings during install: and these screens during "operations": You may see this entry in your list of installed programs: and this task in your Task Scheduler: How did GoPCPro get on my computer? These so-called system optimizers use different methods of getting installed. This particular one is advertized as the #1 registry optimizer.. How do I remove GoPCPro? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of GoPCPro? No, Malwarebytes' Anti-Malware removes GoPCPro completely. This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this system optimizer. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the GoPCPro installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and it stops some of the connections it tries to make: Technical details for experts You may see these entries in FRST logs: (GoPcPro) C:\Program Files (x86)\GoPcPro\GoPcPro\GoPcPro.exe Startup: C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoPcPro.lnk [2016-09-16] ShortcutTarget: GoPcPro.lnk -> C:\Windows\System32\schtasks.exe (Microsoft Corporation) S2 Service1; C:\Program Files (x86)\GoPcPro\GoPcPro\updater.exe [51200 2015-09-10] () [File not signed] C:\Windows\System32\Tasks\GoPcPro C:\Users\{username}\Desktop\GoPcPro.lnk C:\Program Files (x86)\GoPcPro GoPcPro (HKLM-x32\...\GoPcPro) (Version: 2.1.0 - GoPcPro) Task: {D899F01E-2606-4FB8-810D-7C360EDD439F} - System32\Tasks\GoPcPro => C:\Program Files (x86)\GoPcPro\GoPcPro\GoPcPro.exe [2015-09-11] (GoPcPro) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\GoPcPro\GoPcPro Adds the file CircularProgressBar.dll"="2/4/2015 4:57 AM, 33792 bytes, A Adds the file CircularProgressBar.pdb"="2/4/2015 4:57 AM, 67072 bytes, A Adds the file ColourSliderLibrary.dll"="2/19/2015 12:20 AM, 12800 bytes, A Adds the file ColourSliderLibrary.pdb"="2/19/2015 5:28 AM, 26112 bytes, A Adds the file Comparers.dll"="4/17/2015 11:00 PM, 6144 bytes, A Adds the file cpupdates.exe"="9/10/2015 1:30 AM, 12288 bytes, A Adds the file cpupdates.exe.config"="3/11/2015 10:26 PM, 174 bytes, A Adds the file cpupdates.pdb"="3/12/2015 4:36 AM, 13824 bytes, A Adds the file DesktopAlert.dll"="5/14/2015 1:49 AM, 10752 bytes, A Adds the file DesktopAlert.pdb"="5/14/2015 1:49 AM, 24064 bytes, A Adds the file GetCurrentDirectory.dat"="5/13/2015 10:59 PM, 125 bytes, A Adds the file GoPcPro.application"="5/14/2015 1:50 AM, 1800 bytes, A Adds the file GoPcPro.exe"="9/11/2015 4:35 AM, 8693760 bytes, A Adds the file GoPcPro.exe.config"="3/31/2015 9:37 PM, 1508 bytes, A Adds the file GoPcPro.exe.manifest"="9/11/2015 4:35 AM, 23201 bytes, A Adds the file GoPcPro.pdb"="5/14/2015 1:50 AM, 1365504 bytes, A Adds the file GoPcPro.vshost.application"="5/13/2015 9:21 AM, 1800 bytes, A Adds the file GoPcPro.vshost.exe"="5/13/2015 10:55 PM, 22984 bytes, A Adds the file GoPcPro.vshost.exe.config"="3/31/2015 9:37 PM, 1508 bytes, A Adds the file GoPcPro.vshost.exe.manifest"="5/13/2015 9:21 AM, 23489 bytes, A Adds the file Hashing.dll"="4/17/2015 11:00 PM, 24576 bytes, A Adds the file InstallUtil.InstallLog"="9/16/2016 8:44 AM, 652 bytes, A Adds the file instservice.exe"="5/14/2015 1:58 AM, 38912 bytes, A Adds the file instservice.exe.config"="1/28/2015 12:16 AM, 613 bytes, A Adds the file instservice.pdb"="1/31/2015 1:24 AM, 110080 bytes, A Adds the file instservice.vshost.exe"="1/30/2015 12:09 AM, 22472 bytes, A Adds the file Ionic.Zip.Reduced.dll"="7/14/2014 5:36 PM, 253440 bytes, A Adds the file LedControl.dll"="3/6/2012 7:14 PM, 13824 bytes, A Adds the file LedControl.pdb"="3/6/2012 7:14 PM, 38400 bytes, A Adds the file license.txt"="7/22/2014 1:55 PM, 20597 bytes, A Adds the file log.txt"="9/16/2016 8:45 AM, 603 bytes, A Adds the file Logger.dll"="4/14/2003 2:06 PM, 7168 bytes, A Adds the file logo.ico"="2/3/2015 12:57 AM, 43737 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="7/14/2014 5:36 PM, 185856 bytes, A Adds the file Microsoft.Windows.Shell.dll"="10/19/2010 9:00 PM, 167808 bytes, A Adds the file mindscape.wpfelements.dll"="6/9/2014 3:36 PM, 3036672 bytes, A Adds the file mindscape.wpfelements.xml"="6/9/2014 3:36 PM, 1634501 bytes, A Adds the file MyWpfLibrary.dll"="4/5/2011 7:38 AM, 10752 bytes, A Adds the file MyWpfLibrary.pdb"="4/5/2011 7:38 AM, 28160 bytes, A Adds the file outputfilePath"="9/4/2015 2:23 AM, 0 bytes, A Adds the file pan.txt"="1/21/2015 2:28 AM, 3 bytes, A Adds the file passuac.exe"="6/9/2015 4:39 AM, 63488 bytes, A Adds the file passuac.exe.config"="5/12/2015 12:49 PM, 239 bytes, A Adds the file passuac.pdb"="2/26/2015 4:11 AM, 26112 bytes, A Adds the file passuac.vshost.exe"="2/26/2015 4:09 AM, 21464 bytes, A Adds the file PDSA.Common.dll"="2/19/2015 12:20 AM, 9728 bytes, A Adds the file PDSA.Common.pdb"="2/19/2015 5:28 AM, 26112 bytes, A Adds the file PDSA.WPF.dll"="2/19/2015 12:20 AM, 45056 bytes, A Adds the file PDSA.WPF.pdb"="2/19/2015 5:28 AM, 97792 bytes, A Adds the file RibbonControlsLibrary.dll"="12/9/2011 2:11 AM, 737280 bytes, A Adds the file ScanResults.Xml"="9/10/2015 12:30 AM, 1040 bytes, A Adds the file System.Windows.Controls.DataVisualization.Toolkit.dll"="3/2/2010 11:09 AM, 278872 bytes, A Adds the file System.Windows.Controls.Input.Toolkit.dll"="4/30/2015 10:15 PM, 109400 bytes, A Adds the file System.Windows.Controls.Layout.Toolkit.dll"="4/30/2015 10:15 PM, 95064 bytes, A Adds the file telerik.windows.controls.chart.dll"="10/16/2013 3:30 AM, 1308672 bytes, A Adds the file telerik.windows.controls.chart.pdb"="10/16/2013 3:30 AM, 2973184 bytes, A Adds the file telerik.windows.controls.chart.xml"="10/16/2013 3:30 AM, 819680 bytes, A Adds the file telerik.windows.controls.datavisualization.dll"="10/16/2013 3:32 AM, 4346368 bytes, A Adds the file telerik.windows.controls.datavisualization.pdb"="10/16/2013 3:32 AM, 6338048 bytes, A Adds the file telerik.windows.controls.datavisualization.xml"="10/16/2013 3:32 AM, 2527518 bytes, A Adds the file telerik.windows.controls.dll"="10/16/2013 3:27 AM, 3376640 bytes, A Adds the file telerik.windows.controls.pdb"="10/16/2013 3:27 AM, 4128256 bytes, A Adds the file telerik.windows.controls.xml"="10/16/2013 3:27 AM, 1882790 bytes, A Adds the file Telerik.Windows.Data.dll"="10/16/2013 3:28 AM, 453632 bytes, A Adds the file Telerik.Windows.Data.pdb"="10/16/2013 3:28 AM, 1607168 bytes, A Adds the file Telerik.Windows.Data.xml"="10/16/2013 3:28 AM, 351104 bytes, A Adds the file testwcf.exe"="10/5/2015 11:12 AM, 27648 bytes, A Adds the file testwcf.exe.config"="1/21/2015 1:56 AM, 614 bytes, A Adds the file testwcf.pdb"="2/20/2015 12:09 AM, 71168 bytes, A Adds the file testwcf.vshost.exe"="2/20/2015 12:10 AM, 22472 bytes, A Adds the file UIAutomationProvider.dll"="3/18/2010 6:31 PM, 21352 bytes, A Adds the file Uninstall.exe"="9/16/2016 8:44 AM, 145604 bytes, A Adds the file Uninstall.ini"="9/16/2016 8:44 AM, 8999 bytes, A Adds the file Update.exe"="8/25/2014 12:44 PM, 19968 bytes, A Adds the file updater.exe"="9/10/2015 1:30 AM, 51200 bytes, A Adds the file updater.exe.config"="3/18/2015 12:13 AM, 590 bytes, A Adds the file updater.InstallLog"="9/16/2016 8:44 AM, 669 bytes, A Adds the file updater.InstallState"="9/16/2016 8:44 AM, 7466 bytes, A Adds the file updater.pdb"="3/19/2015 11:40 PM, 134656 bytes, A Adds the file UpdateVersionId.dat"="4/29/2015 4:45 AM, 2 bytes, A Adds the file UrlHistoryLibrary.dll"="2/3/2015 11:12 PM, 24576 bytes, A Adds the file UrlHistoryLibrary.pdb"="2/3/2015 11:12 PM, 24064 bytes, A Adds the file VTRegScan.dll"="1/30/2015 11:29 PM, 75264 bytes, A Adds the file VTRegScan.pdb"="1/30/2015 11:29 PM, 93696 bytes, A Adds the file WpfAnimatedGif.dll"="5/2/2015 4:35 AM, 40448 bytes, A Adds the file WpfAnimatedGif.xml"="5/2/2015 4:35 AM, 11068 bytes, A Adds the file WPFToolkit.dll"="3/2/2010 11:09 AM, 467288 bytes, A Adds the folder C:\Program Files (x86)\GoPcPro\GoPcPro\ServerUpdate Adds the file Update.exe"="8/25/2014 12:44 PM, 19968 bytes, A Adds the folder C:\Program Files (x86)\GoPcPro\GoPcPro\Xml Adds the file GetCurrentDirectory.dat"="1/11/2015 7:57 AM, 28 bytes, A Adds the file log.txt"="1/21/2015 2:28 AM, 307 bytes, A Adds the file pan.txt"="1/21/2015 2:28 AM, 3 bytes, A Adds the file ScanResults.xml"="2/17/2015 4:16 AM, 1040 bytes, A Adds the file UpdateVersionId.dat"="3/11/2015 10:53 PM, 1 bytes, A Adds the folder C:\Program Files (x86)\GoPcPro\GoPcPro\Xml\Img Adds the file logo.png"="7/14/2014 5:36 PM, 26506 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup Adds the file GoPcPro.lnk"="9/16/2016 8:44 AM, 1845 bytes, A In the existing folder C:\Users\{username}\Desktop Adds the file GoPcPro.lnk"="9/16/2016 8:44 AM, 1809 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file GoPcPro"="9/16/2016 8:44 AM, 3270 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\GoPcPro] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\GoPcPro\GoPcPro\Uninstall.exe" "DisplayName"="REG_SZ", "GoPcPro" "DisplayVersion"="REG_SZ", "2.1.0" "EstimatedSize"="REG_DWORD", 47735 "HelpLink"="REG_SZ", "mailto:support@gopcpro.com" "InstallDate"="REG_SZ", "20160916" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\GoPcPro\GoPcPro\" "InstallSource"="REG_SZ", "C:\Users\{username}\Desktop\" "Language"="REG_DWORD", 1033 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "GoPcPro" "UninstallString"="REG_SZ", "C:\Program Files (x86)\GoPcPro\GoPcPro\Uninstall.exe" "URLInfoAbout"="REG_SZ", "http://www.gopcpro.com/" "VersionMajor"="REG_DWORD", 2 "VersionMinor"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Service1] "EventMessageFile"="REG_EXPAND_SZ, "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EventLogMessages.dll" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Service1] "DelayedAutostart"="REG_DWORD", 0 "Description"="REG_SZ", "Plugins Update Service" "DisplayName"="REG_SZ", "Plugins Service" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, ""C:\Program Files (x86)\GoPcPro\GoPcPro\updater.exe"" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 9/16/2016 Scan Time: 8:53 AM Logfile: mbamGoPCPro.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.09.16.03 Rootkit Database: v2016.08.15.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 320836 Time Elapsed: 9 min, 9 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 1 PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\GoPcPro.exe, 3384, Delete-on-Reboot, [488bdd954b4fd85e1db4d81741c3857b] Modules: 0 (No malicious items detected) Registry Keys: 3 PUP.Optional.GoPcPro, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\GoPcPro, Delete-on-Reboot, [f1e291e19dfdc3735d7bbd3246be3fc1], PUP.Optional.GoPcPro, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SERVICE1, Quarantined, [08cba3cf356568ce2ca711defa0a19e7], PUP.Optional.GoPcPro, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\GoPcPro, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], Registry Values: 1 PUP.Optional.GoPcPro, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SERVICE1|ImagePath, "C:\Program Files (x86)\GoPcPro\GoPcPro\updater.exe", Quarantined, [08cba3cf356568ce2ca711defa0a19e7] Registry Data: 0 (No malicious items detected) Folders: 5 PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro, Delete-on-Reboot, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro, Delete-on-Reboot, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\ServerUpdate, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\Xml, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\Xml\Img, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], Files: 98 PUP.Optional.GoPcPro, C:\Users\{username}\Desktop\setup.exe, Quarantined, [43905022247681b5efeb8b645ca8d030], PUP.Optional.GoPcPro, C:\Users\{username}\Desktop\GoPcPro.lnk, Quarantined, [24af353dd5c5ce68ad230ce3c53f926e], PUP.Optional.GoPcPro, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoPcPro.lnk, Quarantined, [51824c263b5f340299394fa0947019e7], PUP.Optional.GoPcPro, C:\Windows\System32\Tasks\GoPcPro, Quarantined, [3b98d69c683246f06373c9269371e11f], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\updater.exe, Quarantined, [08cba3cf356568ce2ca711defa0a19e7], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\CircularProgressBar.dll, Delete-on-Reboot, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\CircularProgressBar.pdb, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\ColourSliderLibrary.dll, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\ColourSliderLibrary.pdb, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\Comparers.dll, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\cpupdates.exe, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\cpupdates.exe.config, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\cpupdates.pdb, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\DesktopAlert.dll, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\GetCurrentDirectory.dat, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\GoPcPro.application, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\GoPcPro.exe, Delete-on-Reboot, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\GoPcPro.exe.config, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\GoPcPro.exe.manifest, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\GoPcPro.pdb, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\GoPcPro.vshost.application, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\GoPcPro.vshost.exe, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\GoPcPro.vshost.exe.config, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\GoPcPro.vshost.exe.manifest, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\Hashing.dll, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\InstallUtil.InstallLog, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\instservice.exe, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\instservice.exe.config, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\instservice.pdb, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\instservice.vshost.exe, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\Ionic.Zip.Reduced.dll, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\LedControl.dll, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\LedControl.pdb, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\license.txt, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\log.txt, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\Logger.dll, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\logo.ico, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\Microsoft.Win32.TaskScheduler.dll, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\Microsoft.Windows.Shell.dll, Delete-on-Reboot, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\mindscape.wpfelements.dll, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\mindscape.wpfelements.xml, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\MyWpfLibrary.dll, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\MyWpfLibrary.pdb, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\outputfilePath, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\pan.txt, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\passuac.exe, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\passuac.exe.config, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\passuac.pdb, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\passuac.vshost.exe, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\PDSA.Common.dll, Delete-on-Reboot, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\PDSA.Common.pdb, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\PDSA.WPF.dll, Delete-on-Reboot, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\PDSA.WPF.pdb, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\RibbonControlsLibrary.dll, Delete-on-Reboot, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\System.Windows.Controls.DataVisualization.Toolkit.dll, Delete-on-Reboot, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\System.Windows.Controls.Input.Toolkit.dll, Delete-on-Reboot, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\System.Windows.Controls.Layout.Toolkit.dll, Delete-on-Reboot, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\telerik.windows.controls.chart.dll, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\telerik.windows.controls.chart.pdb, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\telerik.windows.controls.chart.xml, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\telerik.windows.controls.datavisualization.dll, Delete-on-Reboot, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\DesktopAlert.pdb, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\ScanResults.Xml, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\telerik.windows.controls.datavisualization.pdb, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\UpdateVersionId.dat, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\telerik.windows.controls.datavisualization.xml, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\telerik.windows.controls.dll, Delete-on-Reboot, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\telerik.windows.controls.pdb, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\telerik.windows.controls.xml, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\Telerik.Windows.Data.dll, Delete-on-Reboot, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\Telerik.Windows.Data.pdb, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\Telerik.Windows.Data.xml, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\testwcf.exe, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\testwcf.exe.config, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\testwcf.pdb, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\testwcf.vshost.exe, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\UIAutomationProvider.dll, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\Uninstall.exe, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\Uninstall.ini, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\Update.exe, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\updater.exe.config, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\updater.InstallLog, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\updater.InstallState, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\updater.pdb, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\UrlHistoryLibrary.dll, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\UrlHistoryLibrary.pdb, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\VTRegScan.dll, Delete-on-Reboot, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\VTRegScan.pdb, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\WpfAnimatedGif.dll, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\WpfAnimatedGif.xml, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\WPFToolkit.dll, Delete-on-Reboot, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\ServerUpdate\Update.exe, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\Xml\GetCurrentDirectory.dat, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\Xml\log.txt, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\Xml\pan.txt, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\Xml\ScanResults.xml, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\Xml\UpdateVersionId.dat, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], PUP.Optional.GoPcPro, C:\Program Files (x86)\GoPcPro\GoPcPro\Xml\Img\logo.png, Quarantined, [488bdd954b4fd85e1db4d81741c3857b], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  7. What is Window Quick Manager? The Malwarebytes research team has determined that Window Quick Manager is adware. These adware applications display advertisements not originating from the sites you are browsing. This one belongs to the WinRange family. How do I know if my computer is affected by Window Quick Manager? You may see this entry in your list of installed programs: How did Window Quick Manager get on my computer? Adware applications use different methods for distributing themselves. This particular one was bundled with other software. How do I remove Window Quick Manager? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Window Quick Manager? No, Malwarebytes' Anti-Malware removes Window Quick Manager completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Window Quick Manager adware. It would have warned you before the adware could install itself, giving you a chance to stop it before it became too late. The web protection module also blocks some of the connections the installer tries to make: Technical details for experts Possible signs in FRST logs: (QG Inc.) C:\Program Files (x86)\winmake\WinQSync.exe (QG Inc.) C:\Program Files (x86)\winmake\WinQSync_.exe (QG Inc.) C:\Program Files (x86)\winmake\WinMake_.exe (QG Inc.) C:\Program Files (x86)\winmake\WinMake.exe R2 WinQSvc; C:\Program Files (x86)\winmake\WinQSync.exe [202240 2016-09-13] (QG Inc.) [File not signed] R2 WinQSvc2; C:\Program Files (x86)\winmake\WinQSync_.exe [128512 2016-09-13] (QG Inc.) [File not signed] C:\Users\{username}\AppData\Local\CEF C:\Program Files (x86)\winmake Window Quick Manager (HKLM-x32\...\Window Quick Manager) (Version: 1.71 - QG Inc.) () C:\Program Files (x86)\WinMake\libcef.dll () C:\Program Files (x86)\WinMake\log4cplusU.dll Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\winmake Adds the file cef.pak"="6/20/2016 8:37 AM, 2749972 bytes, A Adds the file cef_100_percent.pak"="6/20/2016 8:37 AM, 146067 bytes, A Adds the file cef_200_percent.pak"="6/20/2016 8:37 AM, 235262 bytes, A Adds the file cef_extensions.pak"="6/20/2016 8:37 AM, 4409164 bytes, A Adds the file d3dcompiler_43.dll"="6/20/2016 8:37 AM, 2106216 bytes, A Adds the file d3dcompiler_47.dll"="6/20/2016 8:37 AM, 3709120 bytes, A Adds the file devtools_resources.pak"="6/20/2016 8:37 AM, 4740603 bytes, A Adds the file icudtl.dat"="6/20/2016 8:37 AM, 10127152 bytes, A Adds the file libcef.dll"="6/20/2016 8:37 AM, 52043776 bytes, A Adds the file libcurl.dll"="10/27/2014 6:11 PM, 1358336 bytes, A Adds the file libEGL.dll"="6/20/2016 8:37 AM, 80384 bytes, A Adds the file libGLESv2.dll"="6/20/2016 8:37 AM, 1734656 bytes, A Adds the file log4cplusU.dll"="1/14/2015 11:55 AM, 386560 bytes, A Adds the file msvcp120.dll"="11/24/2014 9:23 AM, 455328 bytes, A Adds the file msvcr120.dll"="11/24/2014 9:23 AM, 970912 bytes, A Adds the file natives_blob.bin"="6/20/2016 8:37 AM, 415490 bytes, A Adds the file release.log"="9/15/2016 5:38 PM, 0 bytes, A Adds the file snapshot_blob.bin"="6/20/2016 8:37 AM, 517972 bytes, A Adds the file Uninstall.exe"="9/15/2016 5:38 PM, 189936 bytes, A Adds the file widevinecdmadapter.dll"="6/20/2016 8:37 AM, 212992 bytes, A Adds the file WinMake.exe"="9/13/2016 2:36 PM, 711680 bytes, A Adds the file WinMake_.exe"="9/13/2016 2:32 PM, 711680 bytes, A Adds the file WinQSync.exe"="9/13/2016 2:27 PM, 202240 bytes, A Adds the file WinQSync_.exe"="9/13/2016 2:30 PM, 128512 bytes, A Adds the file winqtask.exe"="9/13/2016 2:19 PM, 1890304 bytes, A Adds the file winqtask_.exe"="9/13/2016 2:24 PM, 1822208 bytes, A Adds the file wow_helper.exe"="5/13/2016 9:59 AM, 67072 bytes, A Adds the folder C:\Program Files (x86)\winmake\cache Adds the file Cookies"="9/15/2016 5:38 PM, 7168 bytes, A Adds the file Cookies-journal"="9/15/2016 5:38 PM, 0 bytes, A Adds the file data_0"="9/15/2016 5:38 PM, 45056 bytes, A Adds the file f_00001e"="9/15/2016 5:39 PM, 100173 bytes, A Adds the file index"="9/15/2016 5:38 PM, 262512 bytes, A Adds the file Visited Links"="9/15/2016 5:39 PM, 131072 bytes, A Adds the folder C:\Program Files (x86)\winmake\cache\GPUCache Adds the folder C:\Program Files (x86)\winmake\cache1 Adds the folder C:\Program Files (x86)\winmake\cache1\GPUCache Adds the folder C:\Program Files (x86)\winmake\locales Adds the folder C:\Program Files (x86)\winmake\plugins Adds the file pepflashplayer.dll"="6/30/2016 3:25 AM, 31555776 bytes, A Adds the folder C:\Program Files (x86)\winmake\Update Adds the folder C:\Users\{username}\AppData\Local\CEF\User Data\Dictionaries Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\okwinmake] "ID"="REG_SZ", "0CF65EE2-079F-4EF4-915F-2688D5816EA4" "InstallAMID"="REG_SZ", "" "InstallSID"="REG_SZ", "" "Version"="REG_SZ", "171" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Window Quick Manager] "DisplayName"="REG_SZ", "Window Quick Manager" "DisplayVersion"="REG_SZ", "1.71" "EstimatedSize"="REG_DWORD", 94776 "InstallDate"="REG_SZ", "20150915" "Publisher"="REG_SZ", "QG Inc." "UninstallString"="REG_SZ", ""C:\Program Files (x86)\winmake\uninstall.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting] "DontShowUI"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\okwinmake] "ID"="REG_SZ", "0CF65EE2-079F-4EF4-915F-2688D5816EA4" "InstallAMID"="REG_SZ", "0" "InstallDate"="REG_SZ", "15.09.2016 17:38" "InstallSID"="REG_SZ", "" "restart1"="REG_SZ", "1" "restart2"="REG_SZ", "1" "Success"="REG_SZ", "1" "Version"="REG_SZ", "171" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinQSvc] "DisplayName"="REG_SZ", "Window Quick Manager" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, "C:\Program Files (x86)\winmake\WinQSync.exe" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 "WOW64"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinQSvc2] "DisplayName"="REG_SZ", "Window Quick Manager2" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, "C:\Program Files (x86)\winmake\WinQSync_.exe" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 "WOW64"="REG_DWORD", 1 [HKEY_CURRENT_USER\Software\winmnt] "Success"="REG_SZ", "1" Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 9/15/2016 Scan Time: 5:44 PM Logfile: mbamWindowQuickManager.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.09.15.08 Rootkit Database: v2016.08.15.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 321200 Time Elapsed: 10 min, 32 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 6 PUP.Optional.WinMake, C:\Program Files (x86)\winmake\WinMake.exe, 2724, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898] PUP.Optional.WinMake, C:\Program Files (x86)\winmake\WinMake.exe, 3488, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898] PUP.Optional.WinMake, C:\Program Files (x86)\winmake\WinMake_.exe, 2596, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898] PUP.Optional.WinMake, C:\Program Files (x86)\winmake\WinMake_.exe, 3216, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898] PUP.Optional.WinMake, C:\Program Files (x86)\winmake\WinQSync.exe, 3096, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898] PUP.Optional.WinMake, C:\Program Files (x86)\winmake\WinQSync_.exe, 3928, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898] Modules: 21 PUP.Optional.WinMake, C:\Program Files (x86)\winmake\libcef.dll, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\libcef.dll, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\libcef.dll, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\libcef.dll, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\libcurl.dll, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\libcurl.dll, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\libcurl.dll, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\libcurl.dll, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\libcurl.dll, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\log4cplusU.dll, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\log4cplusU.dll, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\log4cplusU.dll, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\log4cplusU.dll, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\msvcp120.dll, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\msvcp120.dll, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\msvcp120.dll, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\msvcp120.dll, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\msvcr120.dll, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\msvcr120.dll, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\msvcr120.dll, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\msvcr120.dll, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], Registry Keys: 5 PUP.Optional.WinMake, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Window Quick Manager, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WinQSvc, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WinQSvc2, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, HKLM\SOFTWARE\OKWINMAKE, Quarantined, [6f05462c8317c86eb1d148a710f4c838], PUP.Optional.WinMake, HKLM\SOFTWARE\WOW6432NODE\OKWINMAKE, Quarantined, [c4b011613d5deb4b5f23bc330004db25], Registry Values: 2 PUP.Optional.WinMake, HKLM\SOFTWARE\OKWINMAKE|Version, 171, Quarantined, [6f05462c8317c86eb1d148a710f4c838] PUP.Optional.WinMake, HKLM\SOFTWARE\WOW6432NODE\OKWINMAKE|Version, 171, Quarantined, [c4b011613d5deb4b5f23bc330004db25] Registry Data: 0 (No malicious items detected) Folders: 8 PUP.Optional.WinMake, C:\Program Files (x86)\winmake, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache\GPUCache, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache1, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache1\GPUCache, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\plugins, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\Update, Quarantined, [185c6210bae0c86e2d53ae410ef66898], Files: 114 PUP.Optional.WinMake, C:\Users\{username}\Desktop\install.exe, Quarantined, [4d27b6bc97039a9c4639608fcd3711ef], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\libcef.dll, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\libGLESv2.dll, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cef.pak, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cef_100_percent.pak, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cef_200_percent.pak, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cef_extensions.pak, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\d3dcompiler_43.dll, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\d3dcompiler_47.dll, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\devtools_resources.pak, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\icudtl.dat, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\libcurl.dll, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\libEGL.dll, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\log4cplusU.dll, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\msvcp120.dll, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\msvcr120.dll, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\natives_blob.bin, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\release.log, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\snapshot_blob.bin, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\Uninstall.exe, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\widevinecdmadapter.dll, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\WinMake.exe, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\WinMake_.exe, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\WinQSync.exe, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\WinQSync_.exe, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\winqtask.exe, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\winqtask_.exe, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\wow_helper.exe, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache\Cookies, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache\Cookies-journal, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache\data_0, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache\data_1, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache\data_2, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache\data_3, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache\f_000001, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache\f_000002, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache\f_000003, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache\index, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache\Visited Links, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache\GPUCache\data_0, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache\GPUCache\data_1, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache\GPUCache\data_2, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache\GPUCache\data_3, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache\GPUCache\index, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache1\Cookies, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache1\Cookies-journal, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache1\data_0, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache1\data_1, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache1\data_2, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache1\data_3, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache1\f_000001, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache1\f_000002, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache1\f_000003, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache1\index, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache1\Visited Links, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache1\GPUCache\data_0, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache1\GPUCache\data_1, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache1\GPUCache\data_2, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache1\GPUCache\data_3, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\cache1\GPUCache\index, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\he.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\am.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\ar.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\bg.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\bn.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\ca.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\cs.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\da.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\de.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\el.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\en-GB.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\en-US.pak, Delete-on-Reboot, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\es-419.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\es.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\et.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\fa.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\fi.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\fil.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\fr.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\gu.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\hi.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\hr.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\hu.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\id.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\it.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\ja.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\kn.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\ko.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\lt.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\lv.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\ml.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\mr.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\ms.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\nb.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\nl.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\pl.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\pt-BR.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\pt-PT.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\ro.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\ru.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\sk.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\sl.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\sr.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\sv.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\sw.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\ta.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\te.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\th.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\tr.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\uk.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\vi.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\zh-CN.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\locales\zh-TW.pak, Quarantined, [185c6210bae0c86e2d53ae410ef66898], PUP.Optional.WinMake, C:\Program Files (x86)\winmake\plugins\pepflashplayer.dll, Quarantined, [185c6210bae0c86e2d53ae410ef66898], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  8. What is OneKit? The Malwarebytes research team has determined that OneKit is adware. These adware applications display advertisements not originating from the sites you are browsing. How do I know if my computer is affected by OneKit? You may see this entry in your list of installed programs: This icon in your taskbar: and these or similar warnings during install: Example of the installer, this one aimed at Brazilian users How did OneKit get on my computer? Adware applications use different methods for distributing themselves. This particular one was bundled with other software. How do I remove OneKit? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of OneKit? No, Malwarebytes' Anti-Malware removes OneKit completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the OneKit adware. It would have warned you before the adware could install itself, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: () C:\Users\{username}\AppData\Local\Temp\instloffer.exe () C:\Program Files (x86)\SoftwareUpdater\UpdaterService.exe C:\Program Files (x86)\SoftwareUpdater C:\Users\{username}\AppData\Local\Temp\instloffer.exe C:\Users\{username}\AppData\Local\Temp\saveclicker_developer.exe SoftwareUpdater (HKLM-x32\...\SoftwareUpdater) (Version: - ) <==== ATTENTION () C:\Users\{username}\AppData\Local\Temp\nscB3A7.tmp\nsPROCESS.dll () C:\Program Files (x86)\SoftwareUpdater\AppsUpdater.exe () C:\Program Files (x86)\SoftwareUpdater\KeyGen.dll Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\SoftwareUpdater Adds the file AppsUpdater.exe"="10/1/2014 12:30 PM, 74240 bytes, A Adds the file AppsUpdater.exe.config"="9/29/2014 5:08 PM, 3364 bytes, A Adds the file config.xml"="9/14/2016 9:53 AM, 858 bytes, A Adds the file Interop.Shell32.dll"="3/13/2014 9:23 AM, 49152 bytes, A Adds the file KeyGen.dll"="3/13/2014 9:23 AM, 93184 bytes, A Adds the file translations.xml"="9/29/2014 5:08 PM, 6580 bytes, A Adds the file uninstall.exe"="9/14/2016 9:53 AM, 304174 bytes, A Adds the file UpdaterService.exe"="3/9/2015 12:36 PM, 39424 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdater] "DisplayName"="REG_SZ", "SoftwareUpdater" "UninstallString"="REG_SZ", "C:\Program Files (x86)\SoftwareUpdater\uninstall.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SoftwareUpdater] "enduser_id"="REG_SZ", "544796" "partner_keyword"="REG_SZ", "BEGINPRO" "UpdaterPath"="REG_SZ", "C:\Program Files (x86)\SoftwareUpdater\AppsUpdater.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Vittalia\AxtanInstaller] "enduser_id"="REG_SZ", "1229134" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\SrvSwUpd4ter] "EventMessageFile"="REG_EXPAND_SZ, "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\EventLogMessages.dll" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SrvUpdater] "DisplayName"="REG_SZ", "Software Updater" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, "C:\Program Files (x86)\SoftwareUpdater\UpdaterService.exe" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 "WOW64"="REG_DWORD", 1 Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 9/14/2016 Scan Time: 10:54 AM Logfile: mbamOneKit.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.09.14.05 Rootkit Database: v2016.08.15.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 320887 Time Elapsed: 12 min, 14 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 2 PUP.Optional.UpdaterService, C:\Program Files (x86)\SoftwareUpdater\UpdaterService.exe, 1920, Delete-on-Reboot, [bc5142309703e155e326a98506fb19e7] PUP.Optional.Software.Updater, C:\Program Files (x86)\SoftwareUpdater\AppsUpdater.exe, 1428, Delete-on-Reboot, [69a45220c5d510263ec2645aa75cd12f] Modules: 2 PUP.Optional.Vittalia, C:\Program Files (x86)\SoftwareUpdater\KeyGen.dll, Delete-on-Reboot, [4dc0d9991387152195a7379dd030e11f], PUP.Optional.Software.Updater, C:\Program Files (x86)\SoftwareUpdater\Interop.Shell32.dll, Delete-on-Reboot, [69a45220c5d510263ec2645aa75cd12f], Registry Keys: 5 PUP.Optional.UpdaterService, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SrvUpdater, Quarantined, [bc5142309703e155e326a98506fb19e7], PUP.Optional.Software.Updater, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SoftwareUpdater, Quarantined, [69a45220c5d510263ec2645aa75cd12f], PUP.Optional.Vittalia, HKLM\SOFTWARE\WOW6432NODE\Vittalia, Quarantined, [15f83a3849514de9467833978f75936d], PUP.Optional.Software.Updater, HKLM\SOFTWARE\WOW6432NODE\SOFTWAREUPDATER, Quarantined, [8f7e31419cfeda5c4766af20d4308f71], PUP.Optional.BundleInstaller, HKLM\SOFTWARE\WOW6432NODE\VITTALIA\AxtanInstaller, Quarantined, [27e6ed85aeec3afcf288f4a6aa59b749], Registry Values: 2 PUP.Optional.Software.Updater, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SOFTWAREUPDATER|UninstallString, C:\Program Files (x86)\SoftwareUpdater\uninstall.exe, Quarantined, [cb42175baeeca393d929378725de37c9] PUP.Optional.Software.Updater, HKLM\SOFTWARE\WOW6432NODE\SOFTWAREUPDATER|UpdaterPath, C:\Program Files (x86)\SoftwareUpdater\AppsUpdater.exe, Quarantined, [8f7e31419cfeda5c4766af20d4308f71] Registry Data: 0 (No malicious items detected) Folders: 1 PUP.Optional.Software.Updater, C:\Program Files (x86)\SoftwareUpdater, Delete-on-Reboot, [69a45220c5d510263ec2645aa75cd12f], Files: 12 PUP.Optional.UpdaterService, C:\Program Files (x86)\SoftwareUpdater\UpdaterService.exe, Delete-on-Reboot, [bc5142309703e155e326a98506fb19e7], PUP.Optional.Vittalia, C:\Program Files (x86)\SoftwareUpdater\KeyGen.dll, Quarantined, [4dc0d9991387152195a7379dd030e11f], PUP.Optional.OneKit, C:\Users\{username}\Desktop\OneKit.exe, Quarantined, [55b83240a4f6d1656c8d049638c939c7], PUP.Optional.Vittalia, C:\Program Files (x86)\SoftwareUpdater\AppsUpd4ter.exe, Quarantined, [ba53eb87cfcb4ee8e4827fa445bc6898], PUP.Optional.Vittalia, C:\Program Files (x86)\SoftwareUpdater\Upd4terSrv.exe, Quarantined, [52bbd39ff0aac670ca9bc75cf60bcc34], PUP.Optional.Software.Updater, C:\Program Files (x86)\SoftwareUpdater\Interop.Shell32.dll, Quarantined, [69a45220c5d510263ec2645aa75cd12f], PUP.Optional.Software.Updater, C:\Program Files (x86)\SoftwareUpdater\AppsUpdater.exe, Quarantined, [69a45220c5d510263ec2645aa75cd12f], PUP.Optional.Software.Updater, C:\Program Files (x86)\SoftwareUpdater\AppsUpdater.exe.config, Quarantined, [69a45220c5d510263ec2645aa75cd12f], PUP.Optional.Software.Updater, C:\Program Files (x86)\SoftwareUpdater\config.xml, Quarantined, [69a45220c5d510263ec2645aa75cd12f], PUP.Optional.Software.Updater, C:\Program Files (x86)\SoftwareUpdater\translations.xml, Quarantined, [69a45220c5d510263ec2645aa75cd12f], PUP.Optional.Software.Updater, C:\Program Files (x86)\SoftwareUpdater\uninstall.exe, Quarantined, [69a45220c5d510263ec2645aa75cd12f], PUP.Optional.Software.Updater, C:\Program Files (x86)\SoftwareUpdater\update_config.xml, Quarantined, [69a45220c5d510263ec2645aa75cd12f], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  9. What is CatHomePage? The Malwarebytes research team has determined that CatHomePage is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This one also displays advertisements. CatHomePage is a Mindspark/Ask toolbar now known as IAC Applications. How do I know if my computer is affected by CatHomePage? You may see these browser extensions/add-ons: You may see this entry in your list of installed software: these warnings during install: this warning in your Google Chrome settings: and this startpage for your browser(s): How did CatHomePage get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site. How do I remove CatHomePage? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program. You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of CatHomePage? If you are using Chrome, you may have to remove the Extension manually under Tools > Settings > Extensions. Remove the checkmark and click on the bin behind the CatHomePage entry. If you are using Chrome or Firefox, you can find additional helpful information on our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the CatHomePage hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/cathomepage/ttab02/index.html?n={n1}&p2={p21}&ptb={ptb1} FF Homepage: hxxp://hp.myway.com/cathomepage/ttab02/index.html?coId={coID1}&subId&ln=en&n={n2}&ptb={ptb2}&st=tab&p2={p21}&si FF Extension: CatHomepage - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_hrMembers_@free.cathomepage.com [2016-09-13] CHR Extension: (CatHomepage) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp [2016-09-13] C:\Users\{username}\AppData\Local\CatHomepageTooltab CatHomepage Internet Explorer Homepage and New Tab (HKCU\...\CatHomepageTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network) <==== ATTENTION An excerpt from the Malwarebytes Anti-Malware scan log: (full log available on request) Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 9/13/2016 Scan Time: 11:00 AM Logfile: mbamCatHomePage.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.09.13.05 Rootkit Database: v2016.08.15.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 320544 Time Elapsed: 8 min, 53 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 1 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\CatHomepageTooltab\TooltabExtension.dll, Delete-on-Reboot, [5059a2cf217906305fde4d4ac1437090], Registry Keys: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CatHomepageTooltab Uninstall Internet Explorer, Quarantined, [5059a2cf217906305fde4d4ac1437090], Registry Values: 0 (No malicious items detected) Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, http://hp.myway.com/cathomepage/ttab02/index.html?n={n1}&p2=Bad: (http://hp.myway.com/cathomepage/ttab02/index.html?n={n1}&p2={p21}&ptb={ptb1}),Replaced,[63467ef34e4c2c0a96dc5326ae5602fe]ECN4Bad: (http://hp.myway.com/cathomepage/ttab02/index.html?n={n1}&p2={p21}&ptb={ptb1}),Replaced,[63467ef34e4c2c0a96dc5326ae5602fe]EorgyyyBad: (http://hp.myway.com/cathomepage/ttab02/index.html?n={n1}&p2={p21}&ptb={ptb1}),Replaced,[63467ef34e4c2c0a96dc5326ae5602fe]ETTAB02Bad: (http://hp.myway.com/cathomepage/ttab02/index.html?n={n1}&p2={p21}&ptb={ptb1}),Replaced,[63467ef34e4c2c0a96dc5326ae5602fe]Enl&ptb={ptb1}, Good: (www.google.com), Bad: (http://hp.myway.com/cathomepage/ttab02/index.html?n={n1}&p2={p21}&ptb={ptb1}),Replaced,[63467ef34e4c2c0a96dc5326ae5602fe] Folders: 88 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\common, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\common\adapter, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\common\components, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\common\js, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\common\widget-api, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\common\widget-api\widgets, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\common\widget-api\widgets\common, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\common\widget-api\widgets\radio, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\common\widget-api\widgets\radio\css, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\common\widget-api\widgets\radio\js, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\common\widget-api\widgets\rss, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\common\widget-api\widgets\rss\js, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\common\widget-api\widgets\test, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\common\widget-api\widgets\topapps, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\common\widget-api\widgets\topapps\css, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\common\widget-api\widgets\topapps\js, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\common\widget-api\widgets\weather, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\common\widget-api\widgets\weather\css, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\common\widget-api\widgets\weather\js, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\components, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\components\api, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\components\api\background, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\components\api\window, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\components\defaultSearch, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\components\defaultSearch\background, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\components\defaultSearch\foreground, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\components\moviereviews, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\components\moviereviews\background, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\components\moviereviews\css, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\components\moviereviews\html, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\components\moviereviews\js, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\components\radio, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\components\radio\background, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\components\radio\css, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\components\radio\foreground, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\components\radio\radioWrapper, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\components\search, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\components\search\background, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\components\search\html, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\components\supertab, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\components\supertab\css, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\components\supertab\html, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\components\supertab\js, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\icons, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\images, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\js, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\native, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\native\libs, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\shared, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\_metadata, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions\_hrMembers_@free.cathomepage.com, Quarantined, [bdecbeb3f6a4d066319d5c3f61a32fd1], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions\_hrMembers_@free.cathomepage.com\chrome, Quarantined, [bdecbeb3f6a4d066319d5c3f61a32fd1], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions\_hrMembers_@free.cathomepage.com\META-INF, Quarantined, [bdecbeb3f6a4d066319d5c3f61a32fd1], Files: 285 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\CatHomepageTooltab\TooltabExtension.dll, Delete-on-Reboot, [5059a2cf217906305fde4d4ac1437090], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_cathomepage.dl.myway.com_0.localstorage, Quarantined, [06a33e337723c96d23dab3f655aeea16], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_cathomepage.dl.myway.com_0.localstorage-journal, Quarantined, [4e5b1f527a20191de11cbced0300fa06], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_cathomepage.dl.tb.ask.com_0.localstorage, Quarantined, [5b4e373ad7c3eb4bd727426752b1f010], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_cathomepage.dl.tb.ask.com_0.localstorage-journal, Quarantined, [1f8a29485f3bd165a45a2c7d699afb05], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\manifest.json, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glhahjphgpghoefihgllamaapanabkmp\12.41.10.15423_0\_metadata\verified_contents.json, Quarantined, [c9e087ea9dfd1224bb9fb7e33ec68977], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions\_hrMembers_@free.cathomepage.com\install.rdf, Quarantined, [bdecbeb3f6a4d066319d5c3f61a32fd1], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions\_hrMembers_@free.cathomepage.com\bootstrap.js, Quarantined, [bdecbeb3f6a4d066319d5c3f61a32fd1], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions\_hrMembers_@free.cathomepage.com\chrome.manifest, Quarantined, [bdecbeb3f6a4d066319d5c3f61a32fd1], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions\_hrMembers_@free.cathomepage.com\chrome.manifest.restartless, Quarantined, [bdecbeb3f6a4d066319d5c3f61a32fd1], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions\_hrMembers_@free.cathomepage.com\chrome\ffxtbr.jar, Quarantined, [bdecbeb3f6a4d066319d5c3f61a32fd1], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions\_hrMembers_@free.cathomepage.com\META-INF\manifest.mf, Quarantined, [bdecbeb3f6a4d066319d5c3f61a32fd1], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions\_hrMembers_@free.cathomepage.com\META-INF\mozilla.rsa, Quarantined, [bdecbeb3f6a4d066319d5c3f61a32fd1], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions\_hrMembers_@free.cathomepage.com\META-INF\mozilla.sf, Quarantined, [bdecbeb3f6a4d066319d5c3f61a32fd1], PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (user_pref("extensions.toolbar.mindspark._hrMembers_.BUTTON_STRUCTURE", "[{\"b\":230508742,\"c\":\"mindspark.magnify\",\"p\":\"L.0\"},{\"b\":230508743,\"c\":\"mindspark.entersearchterms\",\"p\":\"L.0.0\"},{\"b\":230508745,\"c\":\"mindspark.full\",\"p\":\"L.0.1\"},{\"b\":230508749,\"c\":\"mindspark.imagesearch\",\"p\":\"L.0.2\"},{\"b\":230508752,\"c\":\"mindspark.advanced\",\"p\":\"L.0.3\"},{\"b\":230508755,\"c\":\"mindspark.directorysearch\",\"p\":\"L.0.4\"},{\"b\":230508678,\"c\":\"mindspark.search\",\"p\":\"L.1\"},{\"b\":230508691,\"c\":\"mindspark.product\",\"p\":\"L.2\"},{\"b\":230508692,\"c\":\"mindspark.notspyware\",\"p\":\"L.2.0\"},{\"b\":230508699,\"c\":\"mindspark.help\",\"p\":\"L.2.1\"},{\"b\":230508705,\"c\":\"mindspark.version\",\"p\":\"L.2.2\"},{\"b\":230508759,\"c\":\"mindspark.wrench\",\"p\":\"R.0\"}]");), Replaced,[bbee5120f2a88aaca108c71232d2fe02] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (r", 1466411851); user_pref("app.update.lastUpdateTime.xpi-signature-verification", 1466412451); ), Replaced,[5158660b5d3d66d04e5be8f1ba4a1ee2] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (user_pref("app.update.auto", false); user_pref("app.), Replaced,[8e1bed84b8e239fdd2d7d4054eb62ad6] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (user_pref("app.update.auto", false); u), Replaced,[eabfc6ab0d8d1a1c4465b128f4101ae6] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (), Replaced,[8524b2bf58422d09ddccf3e6758f758b] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (), Replaced,[882141305c3ec5717e2ba336f4107b85] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (), Replaced,[7f2ae1904b4ffb3b773202d7689c3ec2] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (), Replaced,[2881b8b9c0da1b1be7c29f3a7e8653ad] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (), Replaced,[d7d2452ccfcb0630e9c0e5f4a85c2cd4] user_pref("app.update.auto), Replaced,[2881df92e2b81d197b2e835630d4c838] user_pre), Replaced,[9a0f18591f7b85b17039c4151aea2ed2] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (), Replaced,[5d4c333e2872ca6c13963a9f3bc9936d] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (), Replaced,[b2f74130abef84b2f2b715c40ef6db25] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (), Replaced,[d4d5a8c90c8e4cea3772e1f8a3618b75] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (), Replaced,[4861521f7f1bf541d4d530a9867ed42c] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (), Replaced,[4564007186142b0bebbedefb897b3fc1] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (), Replaced,[e0c9472a2476043251587168f70d36ca] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (), Replaced,[b6f3b4bd049642f47633cd0c07fd28d8] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (user_pref("app.up), Replaced,[99107cf55644d6605e4b2dac61a3b64a] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (), Replaced,[a900c9a874264beb6247a930d133e719] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (), Replaced,[b5f4fd74cfcb6dc943667960b252bc44] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (), Replaced,[7534d0a12a70f244d0d94a8f91736d93] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (), Replaced,[19903a37f7a34ee84a5fa13842c29a66] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (user_pr), Replaced,[5554f67bf2a8221409a0796062a208f8] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (), Replaced,[ebbe155c9307270fa6035782966e956b] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (), Replaced,[bbee82efa0faeb4b7e2b6a6f9d67b44c] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (), Replaced,[d8d1f27f594112243970d10894700bf5] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (), Replaced,[d7d268097723290d9e0b40991de741bf] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (), Replaced,[a30670012179a393347517c29c6833cd] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (), Replaced,[773291e04b4fc6709f0a835614f0966a] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (), Replaced,[affa96dbff9bcf6724856c6d9d67c13f] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (), Replaced,[c1e8323f3a6069cd496045944fb5f709] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (), Replaced,[6a3f5e133a601d192881c910a55ff907] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (), Replaced,[7039502127732b0b169306d3be4660a0] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (), Replaced,[b2f77bf696041620505921b840c47e82] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (user_pref("app.update.auto", false); user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1466412211); user_pref("app.update.lastUpdateTime.background-update-timer", 1466411971); user_pref("app.update.lastUpdateTime.blocklist-background-update-timer", 1466412331); us), Replaced,[7831bbb65f3bde5801a888516b997e82] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (user_pref("app.update.auto", false); user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1466412211); user_pref("ap), Replaced,[7930452c7b1fd85e9a0fe8f1a85cd32d] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: ("app.update.lastUpdateTime.addon-background-update-timer", ), Replaced,[b6f3a8c90a907abc5c4d4891da2a01ff] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (), Replaced,[57525918a7f35ed89910627784802dd3] PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\prefs.js, Good: (), Bad: (), Replaced,[d8d10c650397fa3c911813c6d52f1be5] Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  10. What is Pakistani Girls Mobile Data? The Malwarebytes research team has determined that Pakistani Girls Mobile Data is a Trojan.HostHijack. These trojans are designed to redirect your internet traffic. This particular one installs an altered version of the legitimate MVPS hosts file. The hijackers changed the 0.0.0.0 IPs intended as a way of blocking, to their own IP to hijack the traffic to their own target site. How do I know if my computer is affected by Pakistani Girls Mobile Data? You may see this entry in your list of installed programs: You may also see some alarms or reports regarding failed connections to the domain pakistangirls[.]info. How did Pakistani Girls Mobile Data get on my computer? Trojans use different methods for distributing themselves. This particular one was offered as a database of girls' mobile data. How do I remove Pakistani Girls Mobile Data? Our program Malwarebytes Anti-Malware can detect and remove this trojan. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Pakistani Girls Mobile Data? Pakistani Girls Mobile Data replaces your hosts file, so you may have to restore the old one. You can find third-party hosts file alternatives at hpHosts or at mvps.org or you can simply reset the default hosts file as outlined here by Microsoft. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this trojan. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Pakistani Girls Mobile Data trojan. It would have warned you before the trojan could install itself, giving you a chance to stop it before it became too late. and it would block some of the connections made by this trojan and the consequential redirects. Technical details for experts Possible signs in FRST logs: Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt (Pakistani Girls Mobile Data ) C:\Users\{username}\Desktop\Pakistani-Girls-Mobile-Data.exe Pakistani Girls Mobile Data 1.5.8 (HKLM-x32\...\Pakistani Girls Mobile Data 1.5.8) (Version: 1.5.8 - Pakistani Girls Mobile Data) 127.0.0.1 localhost 188.138.17.135 m.fr.a2dfp.net 188.138.17.135 mfr.a2dfp.net 188.138.17.135 ad.a8.net 188.138.17.135 asy.a8ww.net 188.138.17.135 static.a-ads.com 188.138.17.135 abcstats.com 188.138.17.135 a.abv.bg 188.138.17.135 adserver.abv.bg 188.138.17.135 adv.abv.bg 188.138.17.135 bimg.abv.bg 188.138.17.135 ca.abv.bg 188.138.17.135 track.acclaimnetwork.com 188.138.17.135 accuserveadsystem.com 188.138.17.135 www.accuserveadsystem.com 188.138.17.135 achmedia.com 188.138.17.135 csh.actiondesk.com 188.138.17.135 ads.activepower.net 188.138.17.135 app.activetrail.com 188.138.17.135 stat.active24stats.nl #[Tracking.Cookie] 188.138.17.135 traffic.acwebconnecting.com 188.138.17.135 office.ad1.ru 188.138.17.135 cms.ad2click.nl 188.138.17.135 ad2games.com 188.138.17.135 ads.ad2games.com 188.138.17.135 content.ad20.net 188.138.17.135 core.ad20.net 188.138.17.135 banner.ad.nu 188.138.17.135 adadvisor.net 188.138.17.135 tag1.adaptiveads.com There are 11878 more lines. Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- In the existing folder C:\Windows\System32\drivers\etc Alters the file hosts 6/10/2009 11:00 PM, 824 bytes, A ==> 8/28/2016 2:15 PM, 594944 bytes, RHA In the existing folder C:\Windows\SysWOW64 Adds the file link.bat"="1/11/2016 11:49 PM, 43 bytes, RHA Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Pakistani Girls Mobile Data 1.5.8] "DisplayIcon"="REG_SZ", "C:\Windows\System32\drivers\etc\Uninstall.exe" "DisplayName"="REG_SZ", "Pakistani Girls Mobile Data 1.5.8" "DisplayVersion"="REG_SZ", "1.5.8" "EstimatedSize"="REG_DWORD", 581 "InstallDate"="REG_SZ", "20160912" "InstallLocation"="REG_SZ", "C:\Windows\System32\drivers\etc\" "InstallSource"="REG_SZ", "C:\Users\{username}\Desktop\" "Language"="REG_DWORD", 1033 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Pakistani Girls Mobile Data" "UninstallString"="REG_SZ", "C:\Windows\System32\drivers\etc\Uninstall.exe" "VersionMajor"="REG_DWORD", 1 "VersionMinor"="REG_DWORD", 5 Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 9/12/2016 Scan Time: 3:54 PM Logfile: mbamPakistanGirls.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.09.12.05 Rootkit Database: v2016.08.15.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 320291 Time Elapsed: 10 min, 20 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 1 Trojan.HostsHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Pakistani Girls Mobile Data 1.5.8, Quarantined, [d471e889564471c555b1d81343c1ad53], Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 2 Trojan.HostsHijack, C:\Users\{username}\Desktop\Pakistani-Girls-Mobile-Data.exe, Quarantined, [59ec224fa4f6c86e259dfded689c6e92], Trojan.DNSChanger, C:\Windows\SysWOW64\link.bat, Quarantined, [e65f9fd29ffbbb7b2d36c9f7e81bf50b], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  11. What is SPC Optimizer? The Malwarebytes research team has determined that SPC Optimizer is a fake system optimizer. These so-called "registry cleaners" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems. More information can be found on our Malwarebytes Unpacked blog. How do I know if I am infected with SPC Optimizer? This is how the main screen of the system optimizer looks: You may see this entry in your list of installed programs: and this task in your Task Scheduler: How did SPC Optimizer get on my computer? These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website. How do I remove SPC Optimizer? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of SPC Optimizer? No, Malwarebytes' Anti-Malware removes SPC Optimizer completely. This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this system optimizer. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the SPC Optimizer installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for experts You may see these entries in FRST logs: () C:\Program Files (x86)\SPCOptimizer\PCOptimizer_service.exe () C:\Program Files (x86)\SPCOptimizer\trayservice.exe R2 PCOptimizerService; C:\Program Files (x86)\SPCOptimizer\\PCOptimizer_service.exe [42496 2016-08-28] () [File not signed] C:\Program Files (x86)\SPCOptimizer C:\Windows\System32\Tasks\SPCOPTIMIZER SPCOptimizer 1.3 (HKLM-x32\...\SPCOptimizer 1.3) (Version: 1.3 - Suresh Technologies) Task: {23C0F35E-D29D-42FE-ABF4-EA2EEF226E5B} - System32\Tasks\SPCOPTIMIZER => C:\Program Files (x86)\SPCOptimizer\\trayservice.exe [2016-08-14] () Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\SPCOptimizer Adds the file Key.txt"="9/9/2016 12:56 PM, 66 bytes, A Adds the file KeyStatus.txt"="9/9/2016 12:46 PM, 24 bytes, A Adds the file Microsoft.Win32.TaskScheduler.dll"="5/14/2016 1:11 PM, 291840 bytes, A Adds the file Microsoft.Win32.TaskScheduler.xml"="5/14/2016 1:11 PM, 449991 bytes, A Adds the file PCOptimizer_service.exe"="8/28/2016 11:25 PM, 42496 bytes, A Adds the file PCOptimizer_service.exe.config"="7/19/2016 1:49 AM, 981 bytes, A Adds the file PCOptimizer_service.InstallLog"="6/3/2016 2:36 PM, 5867 bytes, A Adds the file PCOptimizer_service.pdb"="8/28/2016 11:25 PM, 71168 bytes, A Adds the file PCOptimizer_service.vshost.exe"="6/15/2016 10:13 PM, 11600 bytes, A Adds the file PCOptimizer_service.vshost.exe.config"="6/2/2016 12:08 PM, 898 bytes, A Adds the file PCOptimizer_service.vshost.exe.manifest"="6/15/2016 9:13 PM, 2271 bytes, A Adds the file PCOptimizer_service.XmlSerializers.dll"="8/28/2016 11:25 PM, 32256 bytes, A Adds the file PCOptimizer1.exe"="8/28/2016 11:25 PM, 302592 bytes, A Adds the file PCOptimizer1.exe.config"="6/18/2016 6:01 PM, 1726 bytes, A Adds the file PCOptimizer1.InstallLog"="6/2/2016 10:38 AM, 45597 bytes, A Adds the file PCOptimizer1.pdb"="8/28/2016 11:25 PM, 222720 bytes, A Adds the file PCOptimizer1.vshost.exe"="7/11/2016 5:20 PM, 11592 bytes, A Adds the file PCOptimizer1.vshost.exe.config"="6/18/2016 6:01 PM, 1726 bytes, A Adds the file PCOptimizer1.vshost.exe.manifest"="5/26/2016 10:28 AM, 3176 bytes, A Adds the file System.Data.SQLite.dll"="5/27/2016 12:02 PM, 301056 bytes, A Adds the file System.Data.SQLite.Linq.dll"="5/27/2016 12:02 PM, 186368 bytes, A Adds the file System.Data.SQLite.xml"="5/27/2016 12:02 PM, 809425 bytes, A Adds the file trayservice.exe"="8/14/2016 11:00 PM, 31232 bytes, A Adds the file trayservice.exe.config"="7/19/2016 1:49 AM, 881 bytes, A Adds the file trayservice.pdb"="8/14/2016 11:00 PM, 54784 bytes, A Adds the file trayservice.vshost.exe"="8/28/2016 11:18 PM, 11600 bytes, A Adds the file trayservice.vshost.exe.config"="7/19/2016 1:49 AM, 881 bytes, A Adds the file trayservice.vshost.exe.manifest"="6/2/2012 8:04 PM, 490 bytes, A Adds the file trayservice.XmlSerializers.dll"="8/14/2016 11:00 PM, 31232 bytes, A Adds the file Uninstall.exe"="9/9/2016 12:45 PM, 99891 bytes, A Adds the file Uninstall.ini"="9/9/2016 12:45 PM, 4573 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file SPCOPTIMIZER"="9/9/2016 12:45 PM, 3094 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\PCOptimizer_service_RASAPI32] "ConsoleTracingMask"="REG_DWORD", -65536 "EnableConsoleTracing"="REG_DWORD", 0 "EnableFileTracing"="REG_DWORD", 0 "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing" "FileTracingMask"="REG_DWORD", -65536 "MaxFileSize"="REG_DWORD", 1048576 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\PCOptimizer_service_RASMANCS] "ConsoleTracingMask"="REG_DWORD", -65536 "EnableConsoleTracing"="REG_DWORD", 0 "EnableFileTracing"="REG_DWORD", 0 "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing" "FileTracingMask"="REG_DWORD", -65536 "MaxFileSize"="REG_DWORD", 1048576 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\trayservice_RASAPI32] "ConsoleTracingMask"="REG_DWORD", -65536 "EnableConsoleTracing"="REG_DWORD", 0 "EnableFileTracing"="REG_DWORD", 0 "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing" "FileTracingMask"="REG_DWORD", -65536 "MaxFileSize"="REG_DWORD", 1048576 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\trayservice_RASMANCS] "ConsoleTracingMask"="REG_DWORD", -65536 "EnableConsoleTracing"="REG_DWORD", 0 "EnableFileTracing"="REG_DWORD", 0 "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing" "FileTracingMask"="REG_DWORD", -65536 "MaxFileSize"="REG_DWORD", 1048576 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SPCOptimizer 1.3] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\SPCOptimizer\Uninstall.exe" "DisplayName"="REG_SZ", "SPCOptimizer 1.3" "DisplayVersion"="REG_SZ", "1.3" "EstimatedSize"="REG_DWORD", 3680 "HelpLink"="REG_SZ", "mailto:support@spcoptmizer.com" "InstallDate"="REG_SZ", "20160909" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\SPCOptimizer\" "InstallSource"="REG_SZ", "C:\Users\{username}\Desktop\" "Language"="REG_DWORD", 1033 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Suresh Technologies" "UninstallString"="REG_SZ", "C:\Program Files (x86)\SPCOptimizer\Uninstall.exe" "URLInfoAbout"="REG_SZ", "http://www.spcoptimizer.com" "VersionMajor"="REG_DWORD", 1 "VersionMinor"="REG_DWORD", 3 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application] "AutoBackupLogFiles"="REG_DWORD", 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\PCOptimizerService] "EventMessageFile"="REG_EXPAND_SZ, "C:\Windows\Microsoft.NET\Framework\v4.0.30319\EventLogMessages.dll" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\PCOptimizerService] "DisplayName"="REG_SZ", "PCOptimizerService" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, "C:\Program Files (x86)\SPCOptimizer\\PCOptimizer_service.exe" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 272 Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 9/9/2016 Scan Time: 1:06 PM Logfile: mbamSPCOptimizer.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.09.09.04 Rootkit Database: v2016.08.15.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 319834 Time Elapsed: 8 min, 46 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 2 PUP.Optional.SPCOptimizer, C:\Program Files (x86)\SPCOptimizer\PCOptimizer_service.exe, 2464, Delete-on-Reboot, [b464323ee2b8be788a8d2db7ea1aa25e] PUP.Optional.SPCOptimizer, C:\Program Files (x86)\SPCOptimizer\trayservice.exe, 3924, Delete-on-Reboot, [ad6b620e702a53e38f8036ae1aea2bd5] Modules: 0 (No malicious items detected) Registry Keys: 5 Trojan.Agent, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SPCOptimizer 1.3, Quarantined, [74a4224ebddd072f094a6e4d669be31d], PUP.Optional.SPCOptimizer, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{23C0F35E-D29D-42FE-ABF4-EA2EEF226E5B}, Delete-on-Reboot, [c553551b4b4f36000513b92b92729f61], PUP.Optional.SPCOptimizer, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\SPCOPTIMIZER, Delete-on-Reboot, [6bad0f619ffbeb4b77a29c48bc48867a], PUP.Optional.SPCOptimizer, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\PCOPTIMIZERSERVICE, Quarantined, [b464323ee2b8be788a8d2db7ea1aa25e], PUP.Optional.SPCOptimizer, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SPCOptimizer 1.3, Quarantined, [ad6b620e702a53e38f8036ae1aea2bd5], Registry Values: 2 PUP.Optional.SPCOptimizer, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{23C0F35E-D29D-42FE-ABF4-EA2EEF226E5B}|Path, \SPCOPTIMIZER, Delete-on-Reboot, [c553551b4b4f36000513b92b92729f61] PUP.Optional.SPCOptimizer, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\PCOPTIMIZERSERVICE|ImagePath, C:\Program Files (x86)\SPCOptimizer\\PCOptimizer_service.exe, Quarantined, [b464323ee2b8be788a8d2db7ea1aa25e] Registry Data: 0 (No malicious items detected) Folders: 1 PUP.Optional.SPCOptimizer, C:\Program Files (x86)\SPCOptimizer, Delete-on-Reboot, [ad6b620e702a53e38f8036ae1aea2bd5], Files: 34 Trojan.Agent, C:\Program Files (x86)\SPCOptimizer\Uninstall.exe, Quarantined, [74a4224ebddd072f094a6e4d669be31d], PUP.Optional.SPCOptimizer, C:\Windows\System32\Tasks\SPCOPTIMIZER, Quarantined, [8a8e511fbfdb9a9c1307796b0cf88080], PUP.Optional.SPCOptimizer, C:\Program Files (x86)\SPCOptimizer\PCOptimizer_service.exe, Delete-on-Reboot, [b464323ee2b8be788a8d2db7ea1aa25e], PUP.Optional.SPCOptimizer, C:\Program Files (x86)\SPCOptimizer\filecleaner.xml, Quarantined, [ad6b620e702a53e38f8036ae1aea2bd5], PUP.Optional.SPCOptimizer, C:\Program Files (x86)\SPCOptimizer\Key.txt, Quarantined, [ad6b620e702a53e38f8036ae1aea2bd5], PUP.Optional.SPCOptimizer, C:\Program Files (x86)\SPCOptimizer\KeyStatus.txt, Quarantined, [ad6b620e702a53e38f8036ae1aea2bd5], PUP.Optional.SPCOptimizer, C:\Program Files (x86)\SPCOptimizer\Microsoft.Win32.TaskScheduler.dll, Delete-on-Reboot, [ad6b620e702a53e38f8036ae1aea2bd5], PUP.Optional.SPCOptimizer, C:\Program Files (x86)\SPCOptimizer\Microsoft.Win32.TaskScheduler.xml, Quarantined, [ad6b620e702a53e38f8036ae1aea2bd5], PUP.Optional.SPCOptimizer, C:\Program Files (x86)\SPCOptimizer\PCOptimizer1.exe, Quarantined, [ad6b620e702a53e38f8036ae1aea2bd5], PUP.Optional.SPCOptimizer, C:\Program Files (x86)\SPCOptimizer\PCOptimizer1.exe.config, Quarantined, [ad6b620e702a53e38f8036ae1aea2bd5], PUP.Optional.SPCOptimizer, C:\Program Files (x86)\SPCOptimizer\PCOptimizer1.InstallLog, Quarantined, [ad6b620e702a53e38f8036ae1aea2bd5], PUP.Optional.SPCOptimizer, C:\Program Files (x86)\SPCOptimizer\PCOptimizer1.pdb, Quarantined, [ad6b620e702a53e38f8036ae1aea2bd5], PUP.Optional.SPCOptimizer, C:\Program Files (x86)\SPCOptimizer\PCOptimizer1.vshost.exe, Quarantined, [ad6b620e702a53e38f8036ae1aea2bd5], PUP.Optional.SPCOptimizer, C:\Program Files (x86)\SPCOptimizer\PCOptimizer1.vshost.exe.config, Quarantined, [ad6b620e702a53e38f8036ae1aea2bd5], PUP.Optional.SPCOptimizer, C:\Program Files (x86)\SPCOptimizer\PCOptimizer1.vshost.exe.manifest, Quarantined, [ad6b620e702a53e38f8036ae1aea2bd5], PUP.Optional.SPCOptimizer, C:\Program Files (x86)\SPCOptimizer\PCOptimizer_service.exe.config, Quarantined, [ad6b620e702a53e38f8036ae1aea2bd5], PUP.Optional.SPCOptimizer, C:\Program Files (x86)\SPCOptimizer\PCOptimizer_service.InstallLog, Quarantined, [ad6b620e702a53e38f8036ae1aea2bd5], PUP.Optional.SPCOptimizer, C:\Program Files (x86)\SPCOptimizer\PCOptimizer_service.pdb, Quarantined, [ad6b620e702a53e38f8036ae1aea2bd5], PUP.Optional.SPCOptimizer, C:\Program Files (x86)\SPCOptimizer\PCOptimizer_service.vshost.exe, Quarantined, [ad6b620e702a53e38f8036ae1aea2bd5], PUP.Optional.SPCOptimizer, C:\Program Files (x86)\SPCOptimizer\PCOptimizer_service.vshost.exe.config, Quarantined, [ad6b620e702a53e38f8036ae1aea2bd5], PUP.Optional.SPCOptimizer, C:\Program Files (x86)\SPCOptimizer\PCOptimizer_service.vshost.exe.manifest, Quarantined, [ad6b620e702a53e38f8036ae1aea2bd5], PUP.Optional.SPCOptimizer, C:\Program Files (x86)\SPCOptimizer\PCOptimizer_service.XmlSerializers.dll, Delete-on-Reboot, [ad6b620e702a53e38f8036ae1aea2bd5], PUP.Optional.SPCOptimizer, C:\Program Files (x86)\SPCOptimizer\System.Data.SQLite.dll, Quarantined, [ad6b620e702a53e38f8036ae1aea2bd5], PUP.Optional.SPCOptimizer, C:\Program Files (x86)\SPCOptimizer\System.Data.SQLite.Linq.dll, Quarantined, [ad6b620e702a53e38f8036ae1aea2bd5], PUP.Optional.SPCOptimizer, C:\Program Files (x86)\SPCOptimizer\System.Data.SQLite.xml, Quarantined, [ad6b620e702a53e38f8036ae1aea2bd5], PUP.Optional.SPCOptimizer, C:\Program Files (x86)\SPCOptimizer\trayservice.exe, Delete-on-Reboot, [ad6b620e702a53e38f8036ae1aea2bd5], PUP.Optional.SPCOptimizer, C:\Program Files (x86)\SPCOptimizer\trayservice.exe.config, Quarantined, [ad6b620e702a53e38f8036ae1aea2bd5], PUP.Optional.SPCOptimizer, C:\Program Files (x86)\SPCOptimizer\trayservice.pdb, Quarantined, [ad6b620e702a53e38f8036ae1aea2bd5], PUP.Optional.SPCOptimizer, C:\Program Files (x86)\SPCOptimizer\trayservice.vshost.exe, Quarantined, [ad6b620e702a53e38f8036ae1aea2bd5], PUP.Optional.SPCOptimizer, C:\Program Files (x86)\SPCOptimizer\trayservice.vshost.exe.config, Quarantined, [ad6b620e702a53e38f8036ae1aea2bd5], PUP.Optional.SPCOptimizer, C:\Program Files (x86)\SPCOptimizer\trayservice.vshost.exe.manifest, Quarantined, [ad6b620e702a53e38f8036ae1aea2bd5], PUP.Optional.SPCOptimizer, C:\Program Files (x86)\SPCOptimizer\trayservice.XmlSerializers.dll, Delete-on-Reboot, [ad6b620e702a53e38f8036ae1aea2bd5], PUP.Optional.SPCOptimizer, C:\Program Files (x86)\SPCOptimizer\Uninstall.exe, Quarantined, [ad6b620e702a53e38f8036ae1aea2bd5], PUP.Optional.SPCOptimizer, C:\Program Files (x86)\SPCOptimizer\Uninstall.ini, Quarantined, [ad6b620e702a53e38f8036ae1aea2bd5], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  12. What is MusicManager? The Malwarebytes research team has determined that MusicManager is adware. These adware applications display advertisements not originating from the sites you are browsing. How do I know if my computer is affected by MusicManager? You may see these entries in your list of installed programs: this icon in your startmenu: and this Scheduled Task: How did MusicManager get on my computer? Adware applications use different methods for distributing themselves. This particular one was bundled with other software. How do I remove MusicManager? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of MusicManager? No, Malwarebytes' Anti-Malware removes MusicManager completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the MusicManager adware. It would have warned you before the adware could install itself, giving you a chance to stop it before it became too late. The web protection module also blocks some of the connections the installer tries to make: Technical details for experts Possible signs in FRST logs: () C:\Users\{username}\AppData\Local\Apps\2.0\abril.exe R2 ProntSpooler; C:\Users\{username}\AppData\Local\Apps\2.0\abril.exe [134656 2016-05-19] () [File not signed] C:\Program Files (x86)\Setup C:\Windows\unins000.exe C:\Windows\unins001.exe () C:\Users\Public\Documents\updator.exe ( ) C:\Users\Public\Documents\bebo.exe C:\Windows\unins001.dat C:\Windows\unins000.dat C:\Windows\System32\Tasks\Media Processor C:\ProgramData\Microsoft\Windows\Start Menu\Programs\(Default) C:\Program Files (x86)\MusicManager C:\Users\Public\Documents\WinKillHook.dll (avatar) C:\Users\Public\Documents\WinKill.exe C:\Users\{username}\AppData\Local\Apps\2.0 0.0.0.0 (HKLM-x32\...\Setup_is1) (Version: - ) Music Manager version 2.0.0 (HKLM-x32\...\{9E02501F-FCC7-4D23-87E4-18F6F727BDD1}_is1) (Version: 2.0.0 - Lnagar enterprise) MusicManager version 2.2.8927 (HKLM-x32\...\{7D0B5C18-40A6-4905-9802-D6F829592194}_is1) (Version: 2.2.8927 - ) Task: {45A6E897-6BEE-41E2-95FF-44B6802545E6} - System32\Tasks\Media Processor => C:\Users\Public\Documents\updator.exe [2016-09-08] () Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\MusicManager Adds the file bass.dll"="3/10/2016 12:28 PM, 111772 bytes, A Adds the file libeay32.dll"="1/29/2016 2:40 PM, 1363456 bytes, A Adds the file OptimFROG.dll"="7/24/2005 2:51 AM, 76288 bytes, A Adds the file ssleay32.dll"="1/29/2016 2:40 PM, 359936 bytes, A Adds the file Tagscan.exe"="4/19/2016 10:20 AM, 3833856 bytes, A Adds the file Tagscan.ini"="4/25/2016 2:00 AM, 2109 bytes, A Adds the file unins000.dat"="4/25/2016 2:00 AM, 21317 bytes, A Adds the file unins000.exe"="4/25/2016 2:00 AM, 722597 bytes, A Adds the folder C:\Program Files (x86)\MusicManager\help Adds the folder C:\Program Files (x86)\MusicManager\lang Adds the folder C:\Program Files (x86)\MusicManager\plugins Adds the file bass_aac.dll"="4/1/2015 1:31 PM, 150357 bytes, A Adds the file bass_ape.dll"="11/25/2014 12:50 PM, 29052 bytes, A Adds the file bass_mpc.dll"="7/17/2015 2:41 PM, 21257 bytes, A Adds the file bass_ofr.dll"="4/24/2009 11:20 AM, 5960 bytes, A Adds the file bass_spx.dll"="8/7/2015 3:33 PM, 36105 bytes, A Adds the file bass_tta.dll"="2/5/2016 3:58 PM, 7910 bytes, A Adds the file bassalac.dll"="2/2/2016 4:21 PM, 11532 bytes, A Adds the file bassdsd.dll"="12/17/2014 11:22 AM, 7944 bytes, A Adds the file bassflac.dll"="11/28/2014 2:54 PM, 21772 bytes, A Adds the file bassopus.dll"="1/14/2016 12:43 PM, 67340 bytes, A Adds the file basswma.dll"="4/4/2016 12:22 PM, 17733 bytes, A Adds the file basswv.dll"="3/27/2015 2:42 PM, 28420 bytes, A Adds the folder C:\Program Files (x86)\MusicManager\scripts Adds the file Change case.tst"="2/14/2016 9:41 AM, 124 bytes, A Adds the file csv - excel.tse"="2/7/2011 10:13 AM, 346 bytes, A Adds the file csv - simple.tse"="2/7/2011 10:13 AM, 313 bytes, A Adds the file Discogs cleanup.tst"="2/14/2016 9:41 AM, 460 bytes, A Adds the file html - extended album list.tse"="11/1/2011 7:56 PM, 3930 bytes, A Adds the file html - simple.tse"="2/7/2011 10:13 AM, 2349 bytes, A Adds the file m3u - playlists in folders.tse"="3/11/2012 4:55 PM, 370 bytes, A Adds the file Normalize english.tst"="2/14/2016 9:41 AM, 1782 bytes, A Adds the file Standard values.tst"="2/14/2016 9:41 AM, 853 bytes, A Adds the file Transliteration (Cyrillic).tst"="2/14/2016 9:41 AM, 2567 bytes, A Adds the file txt - folders info.tse"="3/11/2012 4:39 PM, 646 bytes, A Adds the file UnTransliteration (Cyrillic).tst"="2/14/2016 9:41 AM, 3367 bytes, A Adds the file xml - albums list.tse"="8/9/2010 7:37 PM, 1394 bytes, A Adds the folder C:\Program Files (x86)\Setup Adds the file unins000.dat"="9/8/2016 9:37 AM, 12380 bytes, A Adds the file unins000.exe"="9/8/2016 9:36 AM, 725157 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\(Default) Adds the file Music Manager.exe.lnk"="9/8/2016 9:36 AM, 1046 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Apps\2.0 Adds the file 70b3321f21a111e690c70616440bcd7d.sts"="3/8/2016 2:12 PM, 0 bytes, A Adds the file abril.exe"="5/19/2016 4:41 PM, 134656 bytes, A Adds the file abril.InstallLog"="9/8/2016 9:36 AM, 716 bytes, A Adds the file InstallUtil.InstallLog"="9/8/2016 9:36 AM, 2930 bytes, A In the existing folder C:\Users\Public\Documents Adds the file bebo.exe"="9/8/2016 9:36 AM, 388091 bytes, A Adds the file updator.exe"="9/8/2016 9:36 AM, 866304 bytes, A Adds the file WinKill.exe"="7/1/2016 8:03 PM, 208896 bytes, A Adds the file WinKillHook.dll"="7/4/2016 7:58 PM, 53248 bytes, A In the existing folder C:\Windows Adds the file unins000.dat"="9/8/2016 9:36 AM, 31695 bytes, A Adds the file unins000.exe"="9/8/2016 9:36 AM, 1202507 bytes, A Adds the file unins001.dat"="9/8/2016 9:36 AM, 32728 bytes, A Adds the file unins001.exe"="9/8/2016 9:36 AM, 977569 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Media Processor"="9/8/2016 9:36 AM, 3212 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{7D0B5C18-40A6-4905-9802-D6F829592194}_is1] "DisplayName"="REG_SZ", "MusicManager version 2.2.8927" "DisplayVersion"="REG_SZ", "2.2.8927" "EstimatedSize"="REG_DWORD", 4650 "Inno Setup: App Path"="REG_SZ", "" "Inno Setup: Icon Group"="REG_SZ", "MusicManager" "Inno Setup: Language"="REG_SZ", "default" "Inno Setup: Setup Version"="REG_SZ", "5.5.9 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20160908" "MajorVersion"="REG_DWORD", 2 "MinorVersion"="REG_DWORD", 2 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "QuietUninstallString"="REG_SZ", ""C:\Windows\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Windows\unins000.exe"" "VersionMajor"="REG_DWORD", 2 "VersionMinor"="REG_DWORD", 2 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9E02501F-FCC7-4D23-87E4-18F6F727BDD1}_is1] "DisplayName"="REG_SZ", "Music Manager version 2.0.0" "DisplayVersion"="REG_SZ", "2.0.0" "EstimatedSize"="REG_DWORD", 8541 "Inno Setup: App Path"="REG_SZ", "" "Inno Setup: Icon Group"="REG_SZ", "(Default)" "Inno Setup: Language"="REG_SZ", "english" "Inno Setup: Setup Version"="REG_SZ", "5.5.6 (a)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20160908" "MajorVersion"="REG_DWORD", 2 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Lnagar enterprise" "QuietUninstallString"="REG_SZ", ""C:\Windows\unins001.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Windows\unins001.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Setup_is1] "DisplayName"="REG_SZ", "0.0.0.0" "EstimatedSize"="REG_DWORD", 697 "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\Setup" "Inno Setup: Icon Group"="REG_SZ", "Setup" "Inno Setup: Language"="REG_SZ", "english" "Inno Setup: Setup Version"="REG_SZ", "5.5.9 (a)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20160908" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\Setup\" "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\Setup\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\Setup\unins000.exe"" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application] "AutoBackupLogFiles"="REG_DWORD", 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\ProntSpooler] "EventMessageFile"="REG_EXPAND_SZ, "C:\Windows\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ProntSpooler] "Description"="REG_SZ", "This service provides support form reading mass-storage devices using Peer Name Resolution to query performance counter of system-level reports. If this service os disabled, any services that explicitly depend on it will fail to start." "DisplayName"="REG_SZ", "Pront Spooler" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, ""C:\Users\{username}\AppData\Local\Apps\2.0\abril.exe"" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 "WOW64"="REG_DWORD", 1 [HKEY_CURRENT_USER\Software\Neusoftware Music Manager] "Version"="REG_SZ", "2.0.0" Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 9/8/2016 Scan Time: 9:45 AM Logfile: mbamMusicManager.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.09.08.03 Rootkit Database: v2016.08.15.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 319923 Time Elapsed: 9 min, 8 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 1 PUP.Optional.ProntSpooler, C:\Users\{username}\AppData\Local\Apps\2.0\abril.exe, 2808, Delete-on-Reboot, [6e451f50f5a5cb6b204db444f2119070] Modules: 0 (No malicious items detected) Registry Keys: 6 PUP.Optional.ProntSpooler, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\ProntSpooler, Quarantined, [6e451f50f5a5cb6b204db444f2119070], Trojan.TechSupportScam, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{45A6E897-6BEE-41E2-95FF-44B6802545E6}, Delete-on-Reboot, [ded584ebdcbead8911ffe9c694706b95], Trojan.TechSupportScam, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Media Processor, Delete-on-Reboot, [5a59b9b63862290d868b109f699b5aa6], PUP.Optional.MusicManager, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{9E02501F-FCC7-4D23-87E4-18F6F727BDD1}_is1, Quarantined, [00b3caa5039759dd551bc33a2fd47d83], PUP.Optional.ProntSpooler, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\ProntSpooler, Quarantined, [f3c05a1504967eb8a9c538c08e756799], PUP.Optional.MusicManager, HKCU\SOFTWARE\Neusoftware Music Manager, Quarantined, [4d662847b9e184b2a913844655adb34d], Registry Values: 1 Trojan.TechSupportScam, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{45A6E897-6BEE-41E2-95FF-44B6802545E6}|Path, \Media Processor, Delete-on-Reboot, [ded584ebdcbead8911ffe9c694706b95] Registry Data: 0 (No malicious items detected) Folders: 5 PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\help, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\plugins, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\scripts, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], Files: 100 PUP.Optional.MusicManager, C:\Users\{username}\Desktop\musicmanager.exe, Quarantined, [743f224dbddd072f09c36eee669ae31d], Adware.Agent, C:\Users\Public\Documents\bebo.exe, Quarantined, [cee53f309bffd462604edcf3d034a35d], Trojan.TechSupportScam, C:\Users\Public\Documents\updator.exe, Quarantined, [cfe4145b5149fc3a0595a642fe03748c], PUP.Optional.ProntSpooler, C:\Users\{username}\AppData\Local\Apps\2.0\abril.exe, Delete-on-Reboot, [6e451f50f5a5cb6b204db444f2119070], PUP.Optional.ProntSpooler, C:\Users\{username}\AppData\Local\Apps\2.0\abril.InstallLog, Quarantined, [2f8471fe9dfd989e1954797f8f74758b], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\Tagscan.ini, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\bass.dll, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\libeay32.dll, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\OptimFROG.dll, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\ssleay32.dll, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\Tagscan.exe, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\unins000.dat, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\unins000.exe, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\help\commands.html, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\help\donate.html, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\help\fileview.html, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\help\getting_started.html, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\help\history.html, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\help\hotkeys.html, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\help\lic.html, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\help\mod_edit.html, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\help\mod_export.html, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\help\mod_generate.html, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\help\mod_online.html, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\help\mod_rename.html, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\help\mod_transform.html, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\help\overview.html, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\help\st.css, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\help\sysreq.html, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\help\tag_list.html, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\help\tag_mapping.html, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\help\tag_script.html, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\help\tag_versions.html, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Belarusian.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Bulgarian.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Catalan.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Chinese Simplified.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Chinese Traditional.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Croatian.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Czech.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Danish.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Dutch.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\English.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Estonian.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Finnish.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\French 2.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\French.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Galician.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\German.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Greek.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Hebrew.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Hrvatski.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Hungarian.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Italian.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Japanese.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Korean.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Latvian.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Norwegian.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Persian.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Polish.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Portuguese (Brazil).lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Portuguese (Portugal).lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Romanian.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Russian.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Serbian (Cyrilic).lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Serbian (Latin).lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Slovak.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Spanish.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Swedish.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Thai.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Turkish.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Ukrainian.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\lang\Vietnamese.lng, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\plugins\bassalac.dll, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\plugins\bassdsd.dll, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\plugins\bassflac.dll, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\plugins\bassopus.dll, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\plugins\basswma.dll, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\plugins\basswv.dll, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\plugins\bass_aac.dll, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\plugins\bass_ape.dll, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\plugins\bass_mpc.dll, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\plugins\bass_ofr.dll, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\plugins\bass_spx.dll, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\plugins\bass_tta.dll, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\scripts\Change case.tst, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\scripts\csv - excel.tse, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\scripts\csv - simple.tse, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\scripts\Discogs cleanup.tst, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\scripts\html - extended album list.tse, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\scripts\html - simple.tse, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\scripts\m3u - playlists in folders.tse, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\scripts\Normalize english.tst, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\scripts\Standard values.tst, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\scripts\Transliteration (Cyrillic).tst, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\scripts\txt - folders info.tse, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\scripts\UnTransliteration (Cyrillic).tst, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\Program Files (x86)\MusicManager\scripts\xml - albums list.tse, Quarantined, [7d3683ecfaa03105740c53a9e81b748c], PUP.Optional.MusicManager, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\(Default)\Music Manager.exe.lnk, Quarantined, [f3c093dce3b74ee8ec9559a3d92a23dd], Trojan.TechSupportScam, C:\Windows\System32\Tasks\Media Processor, Quarantined, [eec5323d25754ee833df5e51838117e9], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  13. What is ns? The Malwarebytes research team has determined that ns is adware. These adware applications display advertisements not originating from the sites you are browsing. How do I know if my computer is affected by ns? You may see this entry in your list of installed programs: How did ns get on my computer? Adware applications use different methods for distributing themselves. This particular one was bundled with other software. How do I remove ns? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of ns? No, Malwarebytes' Anti-Malware removes ns completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the ns adware. It would have warned you before the adware could install itself, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: () C:\Program Files (x86)\ns\ns.exe R2 ns; C:\Program Files (x86)\ns\ns.exe [4448256 2016-08-25] () [File not signed] <==== ATTENTION C:\Program Files (x86)\ns ns (HKLM-x32\...\ns) (Version: 0.0.125 - ns) C:\Program Files (x86)\ns\boost_thread-vc120-mt-1_59.dll () C:\Program Files (x86)\ns\boost_system-vc120-mt-1_59.dll () C:\Program Files (x86)\ns\boost_chrono-vc120-mt-1_59.dll () C:\Program Files (x86)\ns\boost_date_time-vc120-mt-1_59.dll () C:\Program Files (x86)\ns\boost_filesystem-vc120-mt-1_59.dll () C:\Program Files (x86)\ns\boost_iostreams-vc120-mt-1_59.dll () C:\Program Files (x86)\ns\boost_bzip2-vc120-mt-1_59.dll () C:\Program Files (x86)\ns\lua53.dll () C:\Program Files (x86)\ns\zlib.dll () C:\Program Files (x86)\ns\libesedb.dll Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\ns Adds the file boost_bzip2-vc120-mt-1_59.dll"="10/20/2015 2:43 PM, 54784 bytes, A Adds the file boost_chrono-vc120-mt-1_59.dll"="10/20/2015 2:43 PM, 25600 bytes, A Adds the file boost_date_time-vc120-mt-1_59.dll"="10/20/2015 2:43 PM, 40960 bytes, A Adds the file boost_filesystem-vc120-mt-1_59.dll"="10/20/2015 2:43 PM, 103424 bytes, A Adds the file boost_iostreams-vc120-mt-1_59.dll"="10/20/2015 2:43 PM, 52224 bytes, A Adds the file boost_system-vc120-mt-1_59.dll"="10/20/2015 2:43 PM, 16896 bytes, A Adds the file boost_thread-vc120-mt-1_59.dll"="10/20/2015 2:44 PM, 82944 bytes, A Adds the file cpprest120_xp_2_6.dll"="10/21/2015 10:36 AM, 2364928 bytes, A Adds the file EULA.txt"="8/25/2016 9:57 AM, 10712 bytes, A Adds the file libeay32.dll"="10/20/2015 3:00 PM, 1175040 bytes, A Adds the file libesedb.dll"="8/25/2016 9:57 AM, 780800 bytes, A Adds the file lua53.dll"="12/14/2015 7:28 PM, 206336 bytes, A Adds the file msvcp120.dll"="10/5/2013 12:38 PM, 455328 bytes, A Adds the file msvcr120.dll"="10/5/2013 12:38 PM, 970912 bytes, A Adds the file ns.exe"="8/25/2016 10:20 AM, 4448256 bytes, A Adds the file ssleay32.dll"="10/20/2015 3:00 PM, 274432 bytes, A Adds the file Uninstaller.exe"="9/7/2016 8:58 AM, 57621 bytes, A Adds the file zlib.dll"="10/21/2015 8:52 AM, 68096 bytes, A Adds the folder C:\Users\{username}\AppData\Local\nsData\windows_titles Adds the file win_titles.db"="9/7/2016 8:58 AM, 2048 bytes, A Adds the folder C:\Users\{username}\AppData\Local\nsData\windows_titles\temp Adds the file 0.csv.bz2.cr"="9/7/2016 9:00 AM, 507 bytes, A Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData Adds the file settings.db"="9/7/2016 8:58 AM, 3072 bytes, A Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\apps Adds the file db_0.db"="9/7/2016 8:59 AM, 9216 bytes, A Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\apps\temp Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\browser_downloads Adds the file db_0.db"="9/7/2016 8:59 AM, 3072 bytes, A Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\browser_downloads\temp Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\browser_history Adds the file history.db"="9/7/2016 8:59 AM, 3072 bytes, A Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\browser_history\temp Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\browsers_info Adds the file db_0.db"="9/7/2016 8:59 AM, 3072 bytes, A Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\browsers_info\temp Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\browsers_manager Adds the file e507fc26_1473231531.dat"="9/7/2016 8:59 AM, 21037056 bytes, A Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\chrome_cdb_manager Adds the file 21a444c6_1473231548.dat"="9/5/2016 12:39 PM, 17408 bytes, A Adds the file cfab9f26_1473231548.dat"="8/24/2016 8:08 AM, 28672 bytes, A Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\data\1473231516 Adds the file apps.3.0.72b6c25d.csv.bz2.cr"="9/7/2016 8:59 AM, 940 bytes, A Adds the file browser_downloads.1.0.be605719.csv.bz2.cr"="9/7/2016 8:59 AM, 733 bytes, A Adds the file browser_history.2.0.8ea2ccc8.csv.bz2.cr"="9/7/2016 8:59 AM, 1262 bytes, A Adds the file browser_history.2.1.ae049236.csv.bz2.cr"="9/7/2016 8:59 AM, 733 bytes, A Adds the file browser_history.2.2.16a63199.csv.bz2.cr"="9/7/2016 8:59 AM, 1180 bytes, A Adds the file browser_history.2.3.42dd019b.csv.bz2.cr"="9/7/2016 8:59 AM, 1069 bytes, A Adds the file browsers_info.1.0.b20dd2b3.csv.bz2.cr"="9/7/2016 8:59 AM, 474 bytes, A Adds the file geo.1.0.e1dfb0a8.csv.bz2.cr"="9/7/2016 8:59 AM, 511 bytes, A Adds the file os_info.1.0.939660f1.csv.bz2.cr"="9/7/2016 8:59 AM, 598 bytes, A Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\fandango Adds the file db_0.db"="9/7/2016 8:58 AM, 15360 bytes, A Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\fandango\temp Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\fb_info Adds the file db_2.db"="9/7/2016 8:58 AM, 10240 bytes, A Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\fb_info\temp Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\geo Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\geo\temp Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\google Adds the file db_0.db"="9/7/2016 8:58 AM, 7168 bytes, A Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\google\temp Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\live Adds the file db_0.db"="9/7/2016 8:58 AM, 7168 bytes, A Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\live\temp Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\logs Adds the file 1473231516.log"="9/7/2016 8:58 AM, 0 bytes, A Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\netflix Adds the file db_0.db"="9/7/2016 8:58 AM, 18432 bytes, A Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\netflix\temp Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\opened_processes Adds the file data.db"="9/7/2016 8:58 AM, 9216 bytes, A Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\opera_cdb_manager Adds the file cfab9f26_1473231549.dat"="8/24/2016 8:08 AM, 28672 bytes, A Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\os_info Adds the file db_0.db"="9/7/2016 8:59 AM, 3072 bytes, A Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\os_info\temp Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\script_exec\temp Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\steam Adds the file db_0.db"="9/7/2016 8:58 AM, 5120 bytes, A Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\steam\temp Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\torrents Adds the file db_0.db"="9/7/2016 8:58 AM, 2048 bytes, A Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\torrents\temp Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\vk_web Adds the file db_0.db"="9/7/2016 8:58 AM, 7168 bytes, A Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\vk_web\temp Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\yahoo Adds the file db_0.db"="9/7/2016 8:58 AM, 7168 bytes, A Adds the folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\nsData\yahoo\temp Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MediaData] "SvcName"="REG_SZ", "ns" "userid"="REG_SZ", "97d23d8d09cfc942a9ef5f08edcdd8ec41701e6dc7ca5c9cc58fd89662e02082" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ns] "DisplayName"="REG_SZ", "ns" "DisplayVersion"="REG_SZ", "0.0.125" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\ns\" "Publisher"="REG_SZ", "ns" "UninstallString"="REG_EXPAND_SZ, "C:\Program Files (x86)\ns\Uninstaller.exe" "VersionMajor"="REG_SZ", "0" "VersionMinor"="REG_SZ", "0" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ns] "Description"="REG_SZ", "ns" "DisplayName"="REG_SZ", "ns" "ErrorControl"="REG_DWORD", 1 "FailureActions"="REG_BINARY, ...................... "FailureCommand"="REG_SZ", "C:\Program Files (x86)\ns\ns.exe crashed" "ImagePath"="REG_EXPAND_SZ, "C:\Program Files (x86)\ns\ns.exe" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 272 "WOW64"="REG_DWORD", 1 Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 9/7/2016 Scan Time: 9:08 AM Logfile: mbamNS.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.09.07.01 Rootkit Database: v2016.08.15.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 319847 Time Elapsed: 9 min, 17 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 2 PUP.Optional.MediaForest, C:\Program Files (x86)\ns\ns.exe, 192, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e] PUP.Optional.MediaForest, C:\Program Files (x86)\ns\ns.exe, 3636, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e] Modules: 30 PUP.Optional.MediaForest, C:\Program Files (x86)\ns\boost_bzip2-vc120-mt-1_59.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\boost_bzip2-vc120-mt-1_59.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\boost_chrono-vc120-mt-1_59.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\boost_chrono-vc120-mt-1_59.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\boost_date_time-vc120-mt-1_59.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\boost_date_time-vc120-mt-1_59.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\boost_filesystem-vc120-mt-1_59.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\boost_filesystem-vc120-mt-1_59.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\boost_iostreams-vc120-mt-1_59.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\boost_iostreams-vc120-mt-1_59.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\boost_system-vc120-mt-1_59.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\boost_system-vc120-mt-1_59.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\boost_thread-vc120-mt-1_59.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\boost_thread-vc120-mt-1_59.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\cpprest120_xp_2_6.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\cpprest120_xp_2_6.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\libeay32.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\libeay32.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\libesedb.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\libesedb.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\lua53.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\lua53.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\msvcp120.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\msvcp120.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\msvcr120.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\msvcr120.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\ssleay32.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\ssleay32.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\zlib.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\zlib.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], Registry Keys: 2 PUP.Optional.MediaForest, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\ns, Quarantined, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ns, Quarantined, [5fee1659acee3afc37e923c148bc728e], Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 1 PUP.Optional.MediaForest, C:\Program Files (x86)\ns, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], Files: 19 Adware.Agent, C:\Users\{username}\Desktop\ns.exe, Quarantined, [6ae3c3ac257594a2608727bd758f3bc5], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\EULA.txt, Quarantined, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\boost_bzip2-vc120-mt-1_59.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\boost_chrono-vc120-mt-1_59.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\boost_date_time-vc120-mt-1_59.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\boost_filesystem-vc120-mt-1_59.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\boost_iostreams-vc120-mt-1_59.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\boost_system-vc120-mt-1_59.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\boost_thread-vc120-mt-1_59.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\cpprest120_xp_2_6.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\libeay32.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\libesedb.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\lua53.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\msvcp120.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\msvcr120.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\ns.exe, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\ssleay32.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\Uninstaller.exe, Quarantined, [5fee1659acee3afc37e923c148bc728e], PUP.Optional.MediaForest, C:\Program Files (x86)\ns\zlib.dll, Delete-on-Reboot, [5fee1659acee3afc37e923c148bc728e], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  14. What is DestinyHoroscopes? The Malwarebytes research team has determined that DestinyHoroscopes is adware. These adware applications display advertisements not originating from the sites you are browsing. This one also hijacks one of your browsers. How do I know if my computer is affected by DestinyHoroscopes? You may see this entry in your list of installed programs: this warning during install: this browser helper object in Internet Explorer: and this site opening up in your new tabs: How did DestinyHoroscopes get on my computer? Adware applications use different methods for distributing themselves. This particular one was bundled with other software. How do I remove DestinyHoroscopes? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of DestinyHoroscopes? No, Malwarebytes' Anti-Malware removes DestinyHoroscopes completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the DestinyHoroscopes adware. It would have warned you before the adware could install itself, giving you a chance to stop it before it became too late. The web protection module also blocks some of the connections the installer tries to make: Technical details for experts Possible signs in FRST logs: BHO-x32: DestinyHoroscopes -> {6A5595C4-EFD9-4201-99C2-A0351588DDD3} -> C:\Users\{username}\AppData\Local\DestinyHoroscopes\deyhos.dll [2016-06-22] (DestinyHoroscopes) C:\Users\{username}\AppData\Local\DestinyHoroscopes DestinyHoroscopes (HKCU\...\DestinyHoroscopes) (Version: 1.0.0 - ) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\DestinyHoroscopes Adds the file deyhos.dll"="6/22/2016 9:47 AM, 680312 bytes, A Adds the file deyhos.exe"="6/22/2016 9:47 AM, 212344 bytes, A Adds the file undeyhos.exe"="6/22/2016 9:47 AM, 93328 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6A5595C4-EFD9-4201-99C2-A0351588DDD3}] "(Default)"="REG_SZ", "DestinyHoroscopes" "NoExplorer"="REG_DWORD", 1 [HKEY_CURRENT_USER\Software\AppDataLow\Software\88CFB922314E48D58EE40196080C6310] "Activation"="REG_SZ", "1" "Ticket"="REG_SZ", "oUApY11DQIBrRHubrCDE" [HKEY_CURRENT_USER\Software\Classes\DestinyHoroscopes.Control] "(Default)"="REG_SZ", "DestinyHoroscopes" "CurVer"="REG_SZ", "DestinyHoroscopes.Control.1" "Software\Classes\CLSID"="REG_SZ", "{90778BF8-E629-402F-98C0-6ADE4CD385C2}" [HKEY_CURRENT_USER\Software\Classes\DestinyHoroscopes.Control.1] "(Default)"="REG_SZ", "DestinyHoroscopes" "Software\Classes\CLSID"="REG_SZ", "{90778BF8-E629-402F-98C0-6ADE4CD385C2}" [HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{6A5595C4-EFD9-4201-99C2-A0351588DDD3}] "(Default)"="REG_SZ", "DestinyHoroscopes" [HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{6A5595C4-EFD9-4201-99C2-A0351588DDD3}\Implemented Categories] "(Default)"="REG_SZ", "" [HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{6A5595C4-EFD9-4201-99C2-A0351588DDD3}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}] "(Default)"="REG_SZ", "" [HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{6A5595C4-EFD9-4201-99C2-A0351588DDD3}\InProcServer32] "(Default)"="REG_SZ", "C:\Users\{username}\AppData\Local\DestinyHoroscopes\deyhos.dll" "ThreadingModel"="REG_SZ", "Apartment" [HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{90778BF8-E629-402F-98C0-6ADE4CD385C2}] "(Default)"="REG_SZ", "DestinyHoroscopes Control" "ProgID"="REG_SZ", "DestinyHoroscopes.Control.1" "VersionIndependentProgID"="REG_SZ", "DestinyHoroscopes.Control" [HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{90778BF8-E629-402F-98C0-6ADE4CD385C2}\Implemented Categories] "(Default)"="REG_SZ", "" [HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{90778BF8-E629-402F-98C0-6ADE4CD385C2}\Implemented Categories\{40FC6ED3-2438-11CF-A3DB-080036F12502}] "(Default)"="REG_SZ", "" [HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{90778BF8-E629-402F-98C0-6ADE4CD385C2}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}] "(Default)"="REG_SZ", "" [HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{90778BF8-E629-402F-98C0-6ADE4CD385C2}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}] "(Default)"="REG_SZ", "" [HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{90778BF8-E629-402F-98C0-6ADE4CD385C2}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}] "(Default)"="REG_SZ", "" [HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{90778BF8-E629-402F-98C0-6ADE4CD385C2}\InProcServer32] "(Default)"="REG_SZ", "C:\Users\{username}\AppData\Local\DestinyHoroscopes\deyhos.dll" "ThreadingModel"="REG_SZ", "Apartment" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Approved Extensions] "{6A5595C4-EFD9-4201-99C2-A0351588DDD3}"="REG_BINARY, ............ [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8AF25F12-0FB2-436E-AEA2-814BB6D61173}] "AppName"="REG_SZ", "deyhos.exe" "AppPath"="REG_SZ", "C:\Users\{username}\AppData\Local\DestinyHoroscopes" "Policy"="REG_DWORD", 3 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{6A5595C4-EFD9-4201-99C2-A0351588DDD3}] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6A5595C4-EFD9-4201-99C2-A0351588DDD3}\iexplore] "Blocked"="REG_DWORD", 2 "Count"="REG_DWORD", 2 "Flags"="REG_DWORD", 0 "Time"="REG_BINARY, ........ "Type"="REG_DWORD", 3 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{90778BF8-E629-402F-98C0-6ADE4CD385C2}\iexplore\AllowedDomains\*] "(Default)"="REG_SZ", "" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\DestinyHoroscopes] "DisplayIcon"="REG_SZ", ""C:\Users\{username}\AppData\Local\DestinyHoroscopes\undeyhos.exe"" "DisplayName"="REG_SZ", "DestinyHoroscopes" "DisplayVersion"="REG_SZ", "1.0.0" "HelpLink"="REG_SZ", "http://www.destinyhoroscopes.com" "SupportLink"="REG_SZ", "http://www.destinyhoroscopes.com" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Local\DestinyHoroscopes\undeyhos.exe"" Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 9/6/2016 Scan Time: 8:39 AM Logfile: mbamDestintyHoroscopes.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.09.06.01 Rootkit Database: v2016.08.15.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 319603 Time Elapsed: 8 min, 31 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 6 PUP.Optional.DestinyHoroscopes, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{6A5595C4-EFD9-4201-99C2-A0351588DDD3}, Quarantined, [14d59bd3faa039fd76a2eafa0bf9e818], PUP.Optional.DestinyHoroscopes, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{6A5595C4-EFD9-4201-99C2-A0351588DDD3}, Quarantined, [14d59bd3faa039fd76a2eafa0bf9e818], PUP.Optional.DestinyHoroscopes, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{6A5595C4-EFD9-4201-99C2-A0351588DDD3}, Quarantined, [14d59bd3faa039fd76a2eafa0bf9e818], PUP.Optional.DestinyHoroscopes, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DestinyHoroscopes, Quarantined, [15d43d31a4f646f00ee81cc7ba4abb45], PUP.Optional.DestinyHoroscopes, HKCU\SOFTWARE\APPDATALOW\SOFTWARE\deyhos, Quarantined, [bf2ac4aab2e803331a239b4959aba55b], PUP.Optional.DestinyHoroscopes, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{8AF25F12-0FB2-436E-AEA2-814BB6D61173}, Quarantined, [ffea8ce20b8fd1652316d311d82cc937], Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 1 PUP.Optional.DestinyHoroscopes, C:\Users\{username}\AppData\Local\DestinyHoroscopes, Quarantined, [2dbc58164852201660bdb92b56aed42c], Files: 4 PUP.Optional.DestinyHoroscopes, C:\Users\{username}\Desktop\DestinyHoroscopes.exe, Quarantined, [6188b0be0f8bfa3c0fe7fbe8cb39af51], PUP.Optional.DestinyHoroscopes, C:\Users\{username}\AppData\Local\DestinyHoroscopes\deyhos.dll, Quarantined, [12d7bbb3930796a04dace4ff72924db3], PUP.Optional.DestinyHoroscopes, C:\Users\{username}\AppData\Local\DestinyHoroscopes\deyhos.exe, Quarantined, [32b79dd126745bdbb244cf14b94b629e], PUP.Optional.DestinyHoroscopes, C:\Users\{username}\AppData\Local\DestinyHoroscopes\undeyhos.exe, Quarantined, [15d43d31a4f646f00ee81cc7ba4abb45], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  15. What is Window Common Manager? The Malwarebytes research team has determined that Window Common Manager is adware. These adware applications display advertisements not originating from the sites you are browsing. This one belongs to the WinRange family. How do I know if my computer is affected by Window Common Manager? You may see this entry in your list of installed programs: How did Window Common Manager get on my computer? Adware applications use different methods for distributing themselves. This particular one was bundled with other software. How do I remove Window Common Manager? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Window Common Manager? No, Malwarebytes' Anti-Malware removes Window Common Manager completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Window Common Manager adware. It would have warned you before the adware could install itself, giving you a chance to stop it before it became too late. The web protection module also blocks some of the connections the installer tries to make: Technical details for experts Possible signs in FRST logs: (Abracadabra LLP) C:\Program Files (x86)\wincom\WinComSync.exe (Abracadabra LLP) C:\Program Files (x86)\wincom\WinCom.exe (Abracadabra LLP) C:\Program Files (x86)\wincom\WinComSync_.exe (Abracadabra LLP) C:\Program Files (x86)\wincom\WinCom_.exe R2 WinComSvc; C:\Program Files (x86)\wincom\WinComSync.exe [202240 2016-08-31] (Abracadabra LLP) [File not signed] R2 WinComSvc2; C:\Program Files (x86)\wincom\WinComSync_.exe [128512 2016-08-31] (Abracadabra LLP) [File not signed] C:\Users\{username}\AppData\Local\CEF C:\Program Files (x86)\wincom Window Common Manager (HKLM-x32\...\Window Common Manager) (Version: 1.70 - Abracadabra LLP) () C:\Program Files (x86)\WinCom\libcef.dll () C:\Program Files (x86)\WinCom\log4cplusU.dll Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\wincom Adds the file cef.pak"="6/20/2016 8:37 AM, 2749972 bytes, A Adds the file cef_100_percent.pak"="6/20/2016 8:37 AM, 146067 bytes, A Adds the file cef_200_percent.pak"="6/20/2016 8:37 AM, 235262 bytes, A Adds the file cef_extensions.pak"="6/20/2016 8:37 AM, 4409164 bytes, A Adds the file d3dcompiler_43.dll"="6/20/2016 8:37 AM, 2106216 bytes, A Adds the file d3dcompiler_47.dll"="6/20/2016 8:37 AM, 3709120 bytes, A Adds the file devtools_resources.pak"="6/20/2016 8:37 AM, 4740603 bytes, A Adds the file icudtl.dat"="6/20/2016 8:37 AM, 10127152 bytes, A Adds the file libcef.dll"="6/20/2016 8:37 AM, 52043776 bytes, A Adds the file libcurl.dll"="10/27/2014 6:11 PM, 1358336 bytes, A Adds the file libEGL.dll"="6/20/2016 8:37 AM, 80384 bytes, A Adds the file libGLESv2.dll"="6/20/2016 8:37 AM, 1734656 bytes, A Adds the file log4cplusU.dll"="1/14/2015 11:55 AM, 386560 bytes, A Adds the file msvcp120.dll"="11/24/2014 9:23 AM, 455328 bytes, A Adds the file msvcr120.dll"="11/24/2014 9:23 AM, 970912 bytes, A Adds the file natives_blob.bin"="6/20/2016 8:37 AM, 415490 bytes, A Adds the file release.log"="9/5/2016 8:57 AM, 0 bytes, A Adds the file snapshot_blob.bin"="6/20/2016 8:37 AM, 517972 bytes, A Adds the file Uninstall.exe"="9/5/2016 8:57 AM, 189938 bytes, A Adds the file widevinecdmadapter.dll"="6/20/2016 8:37 AM, 212992 bytes, A Adds the file WinCom.exe"="8/31/2016 3:53 PM, 688128 bytes, A Adds the file WinCom_.exe"="8/31/2016 3:55 PM, 688128 bytes, A Adds the file WinComSync.exe"="8/31/2016 4:24 PM, 202240 bytes, A Adds the file WinComSync_.exe"="8/31/2016 4:06 PM, 128512 bytes, A Adds the file wincomtask.exe"="8/31/2016 4:53 PM, 1890304 bytes, A Adds the file wincomtask_.exe"="8/31/2016 4:55 PM, 1822208 bytes, A Adds the file wow_helper.exe"="5/13/2016 9:59 AM, 67072 bytes, A Adds the folder C:\Program Files (x86)\wincom\cache Adds the file Cookies"="9/5/2016 8:59 AM, 11264 bytes, A Adds the file Cookies-journal"="9/5/2016 8:59 AM, 0 bytes, A Adds the file data_0"="9/5/2016 8:57 AM, 45056 bytes, A Adds the file f_000035"="9/5/2016 8:59 AM, 42050 bytes, A Adds the file index"="9/5/2016 8:57 AM, 262512 bytes, A Adds the file Visited Links"="9/5/2016 8:59 AM, 131072 bytes, A Adds the folder C:\Program Files (x86)\wincom\cache\GPUCache Adds the file data_0"="9/5/2016 8:57 AM, 8192 bytes, A Adds the file index"="9/5/2016 8:57 AM, 262512 bytes, A Adds the folder C:\Program Files (x86)\wincom\cache1 Adds the file Cookies"="9/5/2016 8:59 AM, 11264 bytes, A Adds the file Cookies-journal"="9/5/2016 8:59 AM, 0 bytes, A Adds the file data_0"="9/5/2016 8:58 AM, 45056 bytes, A Adds the file f_000010"="9/5/2016 8:58 AM, 177616 bytes, A Adds the file index"="9/5/2016 8:57 AM, 262512 bytes, A Adds the file Visited Links"="9/5/2016 8:58 AM, 131072 bytes, A Adds the folder C:\Program Files (x86)\wincom\cache1\GPUCache Adds the file data_0"="9/5/2016 8:57 AM, 8192 bytes, A Adds the file index"="9/5/2016 8:57 AM, 262512 bytes, A Adds the folder C:\Program Files (x86)\wincom\locales Adds the folder C:\Program Files (x86)\wincom\plugins Adds the file pepflashplayer.dll"="6/30/2016 3:25 AM, 31555776 bytes, A Adds the folder C:\Program Files (x86)\wincom\Update Adds the folder C:\Users\{username}\AppData\Local\CEF\User Data\Dictionaries Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\okwincom] "ID"="REG_SZ", "DE397CEE-A0DB-46B4-8140-613CF646DC8C" "InstallAMID"="REG_SZ", "" "InstallSID"="REG_SZ", "" "Version"="REG_SZ", "170" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Window Common Manager] "DisplayName"="REG_SZ", "Window Common Manager" "DisplayVersion"="REG_SZ", "1.70" "EstimatedSize"="REG_DWORD", 95886 "InstallDate"="REG_SZ", "20150905" "Publisher"="REG_SZ", "Abracadabra LLP" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\wincom\uninstall.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\okwincom] "ID"="REG_SZ", "DE397CEE-A0DB-46B4-8140-613CF646DC8C" "InstallAMID"="REG_SZ", "0" "InstallDate"="REG_SZ", "05.09.2016 8:57" "InstallSID"="REG_SZ", "" "restart1"="REG_SZ", "1" "restart2"="REG_SZ", "1" "Success"="REG_SZ", "1" "Version"="REG_SZ", "170" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinComSvc] "DisplayName"="REG_SZ", "Window Common Manager" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, "C:\Program Files (x86)\wincom\WinComSync.exe" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 "WOW64"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinComSvc2] "DisplayName"="REG_SZ", "Window Common Manager2" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, "C:\Program Files (x86)\wincom\WinComSync_.exe" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 "WOW64"="REG_DWORD", 1 [HKEY_CURRENT_USER\Software\winmnt] "Success"="REG_SZ", "1" Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 9/5/2016 Scan Time: 9:09 AM Logfile: mbamWinCom.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.09.05.02 Rootkit Database: v2016.08.15.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 319912 Time Elapsed: 9 min, 27 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 6 PUP.Optional.Wincom, C:\Program Files (x86)\wincom\WinCom.exe, 4076, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a] PUP.Optional.Wincom, C:\Program Files (x86)\wincom\WinCom.exe, 3420, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a] PUP.Optional.Wincom, C:\Program Files (x86)\wincom\WinComSync.exe, 3908, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a] PUP.Optional.Wincom, C:\Program Files (x86)\wincom\WinComSync_.exe, 3696, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a] PUP.Optional.Wincom, C:\Program Files (x86)\wincom\WinCom_.exe, 3356, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a] PUP.Optional.Wincom, C:\Program Files (x86)\wincom\WinCom_.exe, 2112, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a] Modules: 21 PUP.Optional.Wincom, C:\Program Files (x86)\wincom\libcef.dll, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\libcef.dll, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\libcef.dll, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\libcef.dll, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\libcurl.dll, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\libcurl.dll, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\libcurl.dll, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\libcurl.dll, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\libcurl.dll, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\log4cplusU.dll, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\log4cplusU.dll, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\log4cplusU.dll, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\log4cplusU.dll, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\msvcp120.dll, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\msvcp120.dll, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\msvcp120.dll, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\msvcp120.dll, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\msvcr120.dll, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\msvcr120.dll, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\msvcr120.dll, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\msvcr120.dll, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], Registry Keys: 5 PUP.Optional.Wincom, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Window Common Manager, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WinComSvc, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WinComSvc2, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, HKLM\SOFTWARE\OKWINCOM, Quarantined, [8402501e6a3038fe206d865c53b1d12f], PUP.Optional.Wincom, HKLM\SOFTWARE\WOW6432NODE\OKWINCOM, Quarantined, [86003a348d0d171f2d607b6750b49e62], Registry Values: 4 PUP.Optional.Wincom, HKLM\SOFTWARE\OKWINCOM|Version, 170, Quarantined, [8402501e6a3038fe206d865c53b1d12f] PUP.Optional.Wincom, HKLM\SOFTWARE\WOW6432NODE\OKWINCOM|Version, 170, Quarantined, [86003a348d0d171f2d607b6750b49e62] PUP.Optional.Wincom, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WinComSvc|ImagePath, C:\Program Files (x86)\wincom\WinComSync.exe, Quarantined, [b6d04d21445656e0424825bd4db749b7] PUP.Optional.Wincom, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WinComSvc2|ImagePath, C:\Program Files (x86)\wincom\WinComSync_.exe, Quarantined, [92f4bdb13961d3635238c51d92720ef2] Registry Data: 0 (No malicious items detected) Folders: 8 PUP.Optional.Wincom, C:\Program Files (x86)\wincom, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\GPUCache, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\GPUCache, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\plugins, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\Update, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], Files: 201 PUP.Optional.Wincom, C:\Program Files (x86)\wincom\libcef.dll, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\libGLESv2.dll, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cef.pak, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cef_100_percent.pak, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cef_200_percent.pak, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cef_extensions.pak, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\d3dcompiler_43.dll, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\d3dcompiler_47.dll, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\devtools_resources.pak, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\icudtl.dat, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\libcurl.dll, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\libEGL.dll, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\log4cplusU.dll, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\msvcp120.dll, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\msvcr120.dll, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\natives_blob.bin, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\release.log, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\snapshot_blob.bin, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\Uninstall.exe, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\widevinecdmadapter.dll, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\WinCom.exe, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\WinComSync.exe, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\WinComSync_.exe, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\wincomtask.exe, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\wincomtask_.exe, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\WinCom_.exe, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\wow_helper.exe, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_00000d, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_000021, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\Cookies, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\Cookies-journal, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\data_0, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\data_1, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\data_2, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\data_3, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_000001, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_000002, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_000003, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_000004, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_000005, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_000006, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_000007, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_000008, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_000009, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_00000a, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_00000b, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_00000c, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_00000e, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_00000f, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_000010, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_000011, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_000012, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_000013, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_000014, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_000015, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_000016, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_000017, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_000018, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_000019, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_00001a, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_00001b, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_00001c, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_00001d, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_00001e, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_00001f, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_000020, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_000022, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_000023, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_000024, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_000025, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_000026, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_000027, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_000028, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_000029, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_00002a, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_00002b, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_00002c, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_00002d, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_00002e, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_00002f, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_000030, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_000031, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_000032, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_000033, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_000034, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\f_000035, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\index, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\Visited Links, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\GPUCache\data_0, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\GPUCache\data_1, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\GPUCache\data_2, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\GPUCache\data_3, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache\GPUCache\index, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_00000d, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\Cookies, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\Cookies-journal, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\data_0, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\data_1, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\data_2, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\data_3, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_000001, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_000002, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_000003, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_000004, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_000005, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_000006, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_000007, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_000008, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_000009, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_00000a, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_00000b, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_00000c, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_00000e, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_00000f, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_000010, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_000011, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_000012, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_000013, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_000014, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_000015, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_000016, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_000017, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_000018, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_000019, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_00001a, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_00001b, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_00001c, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_00001d, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_00001e, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_00001f, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_000020, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_000021, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_000022, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_000023, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_000024, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_000025, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_000026, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_000027, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_000028, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\f_000029, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\index, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\Visited Links, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\GPUCache\data_0, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\GPUCache\data_1, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\GPUCache\data_2, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\GPUCache\data_3, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\cache1\GPUCache\index, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\hi.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\am.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\ar.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\bg.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\bn.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\ca.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\cs.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\da.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\de.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\el.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\en-GB.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\en-US.pak, Delete-on-Reboot, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\es-419.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\es.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\et.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\fa.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\fi.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\fil.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\fr.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\gu.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\he.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\hr.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\hu.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\id.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\it.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\ja.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\kn.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\ko.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\lt.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\lv.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\ml.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\mr.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\ms.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\nb.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\nl.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\pl.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\pt-BR.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\pt-PT.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\ro.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\ru.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\sk.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\sl.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\sr.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\sv.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\sw.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\ta.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\te.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\th.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\tr.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\uk.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\vi.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\zh-CN.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\locales\zh-TW.pak, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], PUP.Optional.Wincom, C:\Program Files (x86)\wincom\plugins\pepflashplayer.dll, Quarantined, [2a5ceb83366460d6ace4c31f52b2a65a], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.