Metallica

Moderators
  • Content count

    1,530
  • Joined

  • Last visited

About Metallica

  • Rank
    Forum Deity
  • Birthday 05/19/1963

Contact Methods

  • ICQ
    0

Profile Information

  • Location
    Netherlands

Recent Profile Visitors

149,896 profile views
  1. What is DefaultTab? The Malwarebytes research team has determined that DefaultTab is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This one also displays advertisements. How do I know if my computer is affected by DefaultTab? You may see this entry in your list of installed software: and these browser add-ons: Firefox disables the unsigned Extension and you will see this startpage and search window: How did DefaultTab get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was bundled with other software. How do I remove DefaultTab? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of DefaultTab? No, Malwarebytes' Anti-Malware removes DefaultTab completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the DefaultTab hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and it stops the connections the browser hijacker tries to make: Technical details for experts Possible signs in FRST logs: () C:\Users\{username}\AppData\Roaming\defaulttab\defaulttab\dtupdate.exe () C:\Program Files (x86)\DefaultTab\DefaultTabSearch.exe HKU\S-1-5-21-1350903546-318028887-1286703239-1003\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.mysearchresults.com/?c=9999&t=01 SearchScopes: HKU\S-1-5-21-1350903546-318028887-1286703239-1003 -> {DA58A037-9798-4A46-A740-21039973307A} URL = hxxp://www.mysearchresults.com/search?c=9999&t=01&q={searchTerms} BHO-x32: DefaultTab Browser Helper -> {7F6AFBF1-E065-4627-A2FD-810366367D01} -> C:\Users\{username}\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll [2016-07-22] (Search Results LLC.) FF Extension: Default Tab - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\nch5mqsa.default\Extensions\addon@defaulttab.com.xpi [2016-07-22] [not signed] CHR Extension: (DefaultTab) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc [2016-07-22] CHR HKLM-x32\...\Chrome\Extension: [kdidombaedgpfiiedeimiebkmbilgmlc] - C:\Program Files (x86)\DefaultTab\DefaultTab.crx [2013-10-07] R2 DefaultTabSearch; C:\Program Files (x86)\DefaultTab\DefaultTabSearch.exe [573952 2013-10-07] () [File not signed] R2 DefaultTabUpdate; C:\Users\{username}\AppData\Roaming\defaulttab\defaulttab\dtupdate.exe [107520 2016-07-22] () [File not signed] C:\Program Files (x86)\DefaultTab C:\Users\{username}\AppData\Roaming\defaulttab DefaultTab (HKLM-x32\...\DefaultTab) (Version: 2.3.3.0 - Search Results, LLC) <==== ATTENTION Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\DefaultTab Adds the file DefaultTab.crx"="10/7/2013 6:54 PM, 332886 bytes, A Adds the file DefaultTabSearch.exe"="10/7/2013 6:54 PM, 573952 bytes, A Adds the file uid"="7/22/2016 9:25 AM, 64 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_0 Adds the file 18x18.png"="11/30/1979 12:00 AM, 697 bytes, A Adds the file background.html"="11/30/1979 12:00 AM, 418 bytes, A Adds the file blank.html"="11/30/1979 12:00 AM, 586 bytes, A Adds the file manifest.json"="11/30/1979 12:00 AM, 2834 bytes, A Adds the file manifest_no_button.json"="11/30/1979 12:00 AM, 2834 bytes, A Adds the file new_tab.html"="11/30/1979 12:00 AM, 181 bytes, A Adds the file search_box.html"="11/30/1979 12:00 AM, 606 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_0\css Adds the file injection.css"="11/30/1979 12:00 AM, 15212 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_0\css\jquery_ui Adds the file jquery-ui-1.8.16.custom.css"="11/30/1979 12:00 AM, 34434 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_0\css\jquery_ui\images Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_0\images Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_0\js Adds the file bg.js"="11/30/1979 12:00 AM, 16247 bytes, A Adds the file ConfigManager.js"="11/30/1979 12:00 AM, 2642 bytes, A Adds the file content.js"="11/30/1979 12:00 AM, 659 bytes, A Adds the file InjectionManager.js"="11/30/1979 12:00 AM, 397 bytes, A Adds the file jquery.guid.js"="11/30/1979 12:00 AM, 3269 bytes, A Adds the file jquery-1.7.1.min.js"="11/30/1979 12:00 AM, 93868 bytes, A Adds the file jquery-ui-1.8.16.custom.min.js"="11/30/1979 12:00 AM, 210463 bytes, A Adds the file newTab.js"="11/30/1979 12:00 AM, 652 bytes, A Adds the file SearchBox.js"="11/30/1979 12:00 AM, 9775 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_0\plugins Adds the file npDefaultTabSearch.dll"="11/30/1979 12:00 AM, 254976 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\defaulttab\defaulttab Adds the file addon.ico"="7/22/2016 9:24 AM, 1078 bytes, A Adds the file DefaultTabBHO.cfg"="7/22/2016 9:25 AM, 3674 bytes, A Adds the file DefaultTabBHO.dll"="7/22/2016 9:24 AM, 462968 bytes, A Adds the file DefaultTabStart.exe"="7/22/2016 9:24 AM, 50296 bytes, A Adds the file DefaultTabStart64.exe"="7/22/2016 9:24 AM, 53880 bytes, A Adds the file defaulttabuninstaller.exe"="7/22/2016 9:24 AM, 53904 bytes, A Adds the file DefaultTabWrap.dll"="7/22/2016 9:24 AM, 436856 bytes, A Adds the file DefaultTabWrap64.dll"="7/22/2016 9:24 AM, 520824 bytes, A Adds the file DT.ico"="7/22/2016 9:24 AM, 2238 bytes, A Adds the file dtupdate.exe"="7/22/2016 9:24 AM, 107520 bytes, A Adds the file searchhere.ico"="7/22/2016 9:24 AM, 1150 bytes, A Adds the file uninstalldt.exe"="7/22/2016 9:27 AM, 636552 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file addon@defaulttab.com.xpi"="7/22/2016 9:27 AM, 44290 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{38495740-0035-4471-851E-F5BBB86AB085}] "(Default)"="REG_SZ", "DefaultTabBHO" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{72D89EBF-0C5D-4190-91FD-398E45F1D007}] "LocalService"="REG_SZ", "DefaultTabUpdate" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\DefaultTabBHO.DLL] "AppID"="REG_SZ", "{38495740-0035-4471-851E-F5BBB86AB085}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowser] "(Default)"="REG_SZ", "DefaultTab Browser Helper" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowser\CLSID] "(Default)"="REG_SZ", "{7F6AFBF1-E065-4627-A2FD-810366367D01}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowser\CurVer] "(Default)"="REG_SZ", "DefaultTabBHO.DefaultTabBrowser.1" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowser.1] "(Default)"="REG_SZ", "DefaultTab Browser Helper" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowser.1\CLSID] "(Default)"="REG_SZ", "{7F6AFBF1-E065-4627-A2FD-810366367D01}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowserActiveX] "(Default)"="REG_SZ", "DefaultTabBrowserActiveX Class" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowserActiveX\CLSID] "(Default)"="REG_SZ", "{A1E28287-1A31-4b0f-8D05-AA8C465D3C5A}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowserActiveX\CurVer] "(Default)"="REG_SZ", "DefaultTabBHO.DefaultTabBrowserActiveX.1" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowserActiveX.1] "(Default)"="REG_SZ", "DefaultTabBrowserActiveX Class" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowserActiveX.1\CLSID] "(Default)"="REG_SZ", "{A1E28287-1A31-4b0f-8D05-AA8C465D3C5A}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1F8EDE97-36D5-422A-B8F0-9406E2D87C60}] "(Default)"="REG_SZ", "IDefaultTabBrowser" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1F8EDE97-36D5-422A-B8F0-9406E2D87C60}\ProxyStubClsid32] "(Default)"="REG_SZ", "{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1F8EDE97-36D5-422A-B8F0-9406E2D87C60}\TypeLib] "(Default)"="REG_SZ", "{FEB62B15-CC00-4736-AAEC-BA046C9DFF73}" "Version"="REG_SZ", "1.0" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BE89FFB3-7F9C-4A16-B475-98B195A06628}] "(Default)"="REG_SZ", "IDefaultTabBrowserActiveX" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BE89FFB3-7F9C-4A16-B475-98B195A06628}\ProxyStubClsid32] "(Default)"="REG_SZ", "{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BE89FFB3-7F9C-4A16-B475-98B195A06628}\TypeLib] "(Default)"="REG_SZ", "{FEB62B15-CC00-4736-AAEC-BA046C9DFF73}" "Version"="REG_SZ", "1.0" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{FEB62B15-CC00-4736-AAEC-BA046C9DFF73}\1.0] "(Default)"="REG_SZ", "DefaultTabBHO 1.0 Type Library" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{FEB62B15-CC00-4736-AAEC-BA046C9DFF73}\1.0\0\win32] "(Default)"="REG_SZ", "C:\Users\{username}\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{FEB62B15-CC00-4736-AAEC-BA046C9DFF73}\1.0\FLAGS] "(Default)"="REG_SZ", "0" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{FEB62B15-CC00-4736-AAEC-BA046C9DFF73}\1.0\HELPDIR] "(Default)"="REG_SZ", "C:\Users\{username}\AppData\Roaming\DefaultTab\DefaultTab" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F6AFBF1-E065-4627-A2FD-810366367D01}] "(Default)"="REG_SZ", "DefaultTab Browser Helper" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F6AFBF1-E065-4627-A2FD-810366367D01}\InprocServer32] "(Default)"="REG_SZ", "C:\Users\{username}\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll" "ThreadingModel"="REG_SZ", "Apartment" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F6AFBF1-E065-4627-A2FD-810366367D01}\ProgID] "(Default)"="REG_SZ", "DefaultTabBHO.DefaultTabBrowser.1" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F6AFBF1-E065-4627-A2FD-810366367D01}\Programmable] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F6AFBF1-E065-4627-A2FD-810366367D01}\TypeLib] "(Default)"="REG_SZ", "{FEB62B15-CC00-4736-AAEC-BA046C9DFF73}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F6AFBF1-E065-4627-A2FD-810366367D01}\VersionIndependentProgID] "(Default)"="REG_SZ", "DefaultTabBHO.DefaultTabBrowser" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1E28287-1A31-4b0f-8D05-AA8C465D3C5A}] "(Default)"="REG_SZ", "DefaultTabBrowserActiveX Class" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1E28287-1A31-4b0f-8D05-AA8C465D3C5A}\InprocServer32] "(Default)"="REG_SZ", "C:\Users\{username}\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll" "ThreadingModel"="REG_SZ", "Apartment" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1E28287-1A31-4b0f-8D05-AA8C465D3C5A}\ProgID] "(Default)"="REG_SZ", "DefaultTabBHO.DefaultTabBrowserActiveX.1" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1E28287-1A31-4b0f-8D05-AA8C465D3C5A}\Programmable] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1E28287-1A31-4b0f-8D05-AA8C465D3C5A}\TypeLib] "(Default)"="REG_SZ", "{FEB62B15-CC00-4736-AAEC-BA046C9DFF73}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1E28287-1A31-4b0f-8D05-AA8C465D3C5A}\VersionIndependentProgID] "(Default)"="REG_SZ", "DefaultTabBHO.DefaultTabBrowserActiveX" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1F8EDE97-36D5-422A-B8F0-9406E2D87C60}] "(Default)"="REG_SZ", "IDefaultTabBrowser" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1F8EDE97-36D5-422A-B8F0-9406E2D87C60}\ProxyStubClsid32] "(Default)"="REG_SZ", "{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1F8EDE97-36D5-422A-B8F0-9406E2D87C60}\TypeLib] "(Default)"="REG_SZ", "{FEB62B15-CC00-4736-AAEC-BA046C9DFF73}" "Version"="REG_SZ", "1.0" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE89FFB3-7F9C-4A16-B475-98B195A06628}] "(Default)"="REG_SZ", "IDefaultTabBrowserActiveX" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE89FFB3-7F9C-4A16-B475-98B195A06628}\ProxyStubClsid32] "(Default)"="REG_SZ", "{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE89FFB3-7F9C-4A16-B475-98B195A06628}\TypeLib] "(Default)"="REG_SZ", "{FEB62B15-CC00-4736-AAEC-BA046C9DFF73}" "Version"="REG_SZ", "1.0" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Default Tab] "001"="REG_SZ", "2.2.42.0" "002"="REG_SZ", "1.4.6.0" "003"="REG_SZ", "1.1.29.0" "InstallDate"="REG_SZ", "2016-07-22 09:27" "Version"="REG_SZ", "2.3.3.0" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Default Tab\P] "01"="REG_SZ", "E72F661A8A54C07E5D11C114523749F2" "02"="REG_SZ", "9999" "03"="REG_SZ", "255" "04"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Default Tab\Update] "ieVersion"="REG_SZ", "1.4.6.0" "last_update_check"="REG_QWORD, .... [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\DefaultTab\ChromeExtension] "addedsearchengines"="REG_SZ", "|search here|facebook|amazon|wikipedia|twitter|ebay" "affid"="REG_SZ", "9999" "cfg"="REG_SZ", "255" "defaultState"="REG_SZ", "2" "homepage"="REG_SZ", "" "keyword"="REG_SZ", "" "LastUpdateCheck"="REG_SZ", "1469172309" "name"="REG_SZ", "" "silent"="REG_SZ", "0" "Status"="REG_SZ", "3" "UpdatePending"="REG_SZ", "0" "version"="REG_SZ", "1.1.29" "yw3i"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc] "path"="REG_SZ", "C:\Program Files (x86)\DefaultTab\DefaultTab.crx" "version"="REG_SZ", "1.1.29" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7F6AFBF1-E065-4627-A2FD-810366367D01}] "(Default)"="REG_SZ", "DefaultTabBHO" "NoExplorer"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7F6AFBF1-E065-4627-A2FD-810366367D01}] [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{A1E28287-1A31-4B0F-8D05-AA8C465D3C5A}] [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DefaultTab] "Comments"="REG_SZ", "Search Results, LLC all rights reserved" "Contact"="REG_SZ", "Search Results, LLC" "DisplayName"="REG_SZ", "DefaultTab" "DisplayVersion"="REG_SZ", "2.3.3.0" "InstallLocation"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\defaulttab\defaulttab"" "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Search Results, LLC" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\defaulttab\defaulttab\uninstalldt.exe"" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DefaultTabSearch] "DisplayName"="REG_SZ", "DefaultTabSearch" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, "C:\Program Files (x86)\DefaultTab\DefaultTabSearch.exe" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 272 "WOW64"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DefaultTabUpdate] "DependOnService"="REG_MULTI_SZ, "RPCSS " "Description"="REG_SZ", "DefaultTab Update Service" "DisplayName"="REG_SZ", "DefaultTabUpdate" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, ""C:\Users\{username}\AppData\Roaming\defaulttab\defaulttab\dtupdate.exe"" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 "WOW64"="REG_DWORD", 1 [HKEY_CURRENT_USER\Software\AppDataLow\Software\DefaultTab\BHO] "extensions.defaulttab.browser_version"="REG_SZ", "11" "extensions.DefaultTab.browser_version2"="REG_SZ", "9.11.9600.18376" "extensions.defaulttab.browserID"="REG_SZ", "E72F661A8A54C07E5D11C114523749F2" "extensions.DefaultTab.channel"="REG_SZ", "9999" "extensions.defaulttab.DefaultScope"="REG_SZ", "Bing" "extensions.defaulttab.firstrun"="REG_SZ", "false" "extensions.defaulttab.firstSearch"="REG_SZ", "true" "extensions.DefaultTab.forcekeywordsearch"="REG_SZ", "true" "extensions.defaulttab.installedVersion"="REG_SZ", "1.4.0" "extensions.defaulttab.keyword.URL"="REG_SZ", "chrome://defaulttab/content/keywordURL.xul?" "extensions.DefaultTab.newtabsearch"="REG_SZ", "true" "extensions.DefaultTab.overridechromesearch"="REG_SZ", "true" "extensions.DefaultTab.overridekeywordsearch"="REG_SZ", "true" "extensions.DefaultTab.searchinnewtab"="REG_SZ", "true" "extensions.DefaultTab.setdefaultsearch"="REG_SZ", "true" "extensions.DefaultTab.sethomepage"="REG_SZ", "true" "extensions.DefaultTab.tabsearchbox"="REG_SZ", "true" "extensions.DefaultTab.yw3i"="REG_SZ", "" "extensions.defaulttab.zInitTimer"="REG_SZ", "false" "extensions.defaulttab.zInstallTime"="REG_SZ", "1469172301" "extensions.defaulttab.znew_tab_content"="REG_SZ", "{ html code removed, full log available on request } " "extensions.defaulttab.zREMDefaultScope"="REG_SZ", "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" "extensions.defaulttab.zsearch_engine"="REG_SZ", "Google" [HKEY_CURRENT_USER\Software\Default Tab] "001"="REG_SZ", "2.2.42.0" "002"="REG_SZ", "1.4.6.0" "003"="REG_SZ", "1.1.29.0" "InstallDate"="REG_SZ", "2016-07-22 09:27" "Version"="REG_SZ", "2.3.3.0" [HKEY_CURRENT_USER\Software\DefaultTab] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration{7F6AFBF1-E065-4627-A2FD-810366367D01}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration{A1E28287-1A31-4B0F-8D05-AA8C465D3C5A}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MINIE] "ShowTabsBelowAddressBar"="REG_DWORD", 1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F6AFBF1-E065-4627-A2FD-810366367D01}] "(Default)"="REG_SZ", "DefaultTabBHO" "NoExplorer"="REG_DWORD", 1 Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 7/22/2016 Scan Time: 9:42 AM Logfile: mbamDefaultTab.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.07.22.02 Rootkit Database: v2016.05.27.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 315615 Time Elapsed: 8 min, 19 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 2 PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Roaming\defaulttab\defaulttab\dtupdate.exe, 2868, Delete-on-Reboot, [947674b3f9a11f178ca221002ad6837d] PUP.Optional.DefaultTab, C:\Program Files (x86)\DefaultTab\DefaultTabSearch.exe, 4060, Delete-on-Reboot, [ec1e8b9cb3e75cda9bacbe60ad57946c] Modules: 0 (No malicious items detected) Registry Keys: 53 PUP.Optional.DefaultTab, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\DefaultTabUpdate, Quarantined, [947674b3f9a11f178ca221002ad6837d], PUP.Optional.DefaultTab, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\DefaultTabSearch, Quarantined, [ec1e8b9cb3e75cda9bacbe60ad57946c], PUP.Optional.DefaultTab, HKLM\SOFTWARE\CLASSES\APPID\{38495740-0035-4471-851E-F5BBB86AB085}, Quarantined, [dc2eeb3c09916ec8b3e9771854ae827e], PUP.Optional.DefaultTab, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{38495740-0035-4471-851E-F5BBB86AB085}, Quarantined, [dc2eeb3c09916ec8b3e9771854ae827e], PUP.Optional.DefaultTab, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\{38495740-0035-4471-851E-F5BBB86AB085}, Quarantined, [dc2eeb3c09916ec8b3e9771854ae827e], PUP.Optional.DefaultTab, HKLM\SOFTWARE\CLASSES\APPID\{72D89EBF-0C5D-4190-91FD-398E45F1D007}, Quarantined, [2ae0bc6b96045ed88815ace328da3cc4], PUP.Optional.DefaultTab, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{72D89EBF-0C5D-4190-91FD-398E45F1D007}, Quarantined, [2ae0bc6b96045ed88815ace328da3cc4], PUP.Optional.DefaultTab, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\{72D89EBF-0C5D-4190-91FD-398E45F1D007}, Quarantined, [2ae0bc6b96045ed88815ace328da3cc4], PUP.Optional.DefaultTab, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{7F6AFBF1-E065-4627-A2FD-810366367D01}, Quarantined, [a6643aed9a0049ed57470b84d929e719], PUP.Optional.DefaultTab, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{A1E28287-1A31-4b0f-8D05-AA8C465D3C5A}, Quarantined, [a6643aed9a0049ed57470b84d929e719], PUP.Optional.DefaultTab, HKLM\SOFTWARE\CLASSES\TYPELIB\{FEB62B15-CC00-4736-AAEC-BA046C9DFF73}, Quarantined, [a6643aed9a0049ed57470b84d929e719], PUP.Optional.DefaultTab, HKLM\SOFTWARE\CLASSES\INTERFACE\{1F8EDE97-36D5-422A-B8F0-9406E2D87C60}, Quarantined, [a6643aed9a0049ed57470b84d929e719], PUP.Optional.DefaultTab, HKLM\SOFTWARE\CLASSES\INTERFACE\{BE89FFB3-7F9C-4A16-B475-98B195A06628}, Quarantined, [a6643aed9a0049ed57470b84d929e719], PUP.Optional.DefaultTab, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{1F8EDE97-36D5-422A-B8F0-9406E2D87C60}, Quarantined, [a6643aed9a0049ed57470b84d929e719], PUP.Optional.DefaultTab, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{BE89FFB3-7F9C-4A16-B475-98B195A06628}, Quarantined, [a6643aed9a0049ed57470b84d929e719], PUP.Optional.DefaultTab, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{1F8EDE97-36D5-422A-B8F0-9406E2D87C60}, Quarantined, [a6643aed9a0049ed57470b84d929e719], PUP.Optional.DefaultTab, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{BE89FFB3-7F9C-4A16-B475-98B195A06628}, Quarantined, [a6643aed9a0049ed57470b84d929e719], PUP.Optional.DefaultTab, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{FEB62B15-CC00-4736-AAEC-BA046C9DFF73}, Quarantined, [a6643aed9a0049ed57470b84d929e719], PUP.Optional.DefaultTab, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{FEB62B15-CC00-4736-AAEC-BA046C9DFF73}, Quarantined, [a6643aed9a0049ed57470b84d929e719], PUP.Optional.DefaultTab, HKLM\SOFTWARE\CLASSES\DefaultTabBHO.DefaultTabBrowserActiveX.1, Quarantined, [a6643aed9a0049ed57470b84d929e719], PUP.Optional.DefaultTab, HKLM\SOFTWARE\CLASSES\DefaultTabBHO.DefaultTabBrowserActiveX, Quarantined, [a6643aed9a0049ed57470b84d929e719], PUP.Optional.DefaultTab, HKLM\SOFTWARE\WOW6432NODE\CLASSES\DefaultTabBHO.DefaultTabBrowserActiveX, Quarantined, [a6643aed9a0049ed57470b84d929e719], PUP.Optional.DefaultTab, HKLM\SOFTWARE\CLASSES\WOW6432NODE\DefaultTabBHO.DefaultTabBrowserActiveX, Quarantined, [a6643aed9a0049ed57470b84d929e719], PUP.Optional.DefaultTab, HKLM\SOFTWARE\WOW6432NODE\CLASSES\DefaultTabBHO.DefaultTabBrowserActiveX.1, Quarantined, [a6643aed9a0049ed57470b84d929e719], PUP.Optional.DefaultTab, HKLM\SOFTWARE\CLASSES\WOW6432NODE\DefaultTabBHO.DefaultTabBrowserActiveX.1, Quarantined, [a6643aed9a0049ed57470b84d929e719], PUP.Optional.DefaultTab, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{A1E28287-1A31-4B0F-8D05-AA8C465D3C5A}, Quarantined, [a6643aed9a0049ed57470b84d929e719], PUP.Optional.DefaultTab, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{A1E28287-1A31-4B0F-8D05-AA8C465D3C5A}, Quarantined, [a6643aed9a0049ed57470b84d929e719], PUP.Optional.DefaultTab, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\{A1E28287-1A31-4B0F-8D05-AA8C465D3C5A}, Quarantined, [a6643aed9a0049ed57470b84d929e719], PUP.Optional.DefaultTab, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{7F6AFBF1-E065-4627-A2FD-810366367D01}, Quarantined, [a6643aed9a0049ed57470b84d929e719], PUP.Optional.DefaultTab, HKLM\SOFTWARE\CLASSES\DefaultTabBHO.DefaultTabBrowser.1, Quarantined, [a6643aed9a0049ed57470b84d929e719], PUP.Optional.DefaultTab, HKLM\SOFTWARE\CLASSES\DefaultTabBHO.DefaultTabBrowser, Quarantined, [a6643aed9a0049ed57470b84d929e719], PUP.Optional.DefaultTab, HKLM\SOFTWARE\WOW6432NODE\CLASSES\DefaultTabBHO.DefaultTabBrowser, Quarantined, [a6643aed9a0049ed57470b84d929e719], PUP.Optional.DefaultTab, HKLM\SOFTWARE\CLASSES\WOW6432NODE\DefaultTabBHO.DefaultTabBrowser, Quarantined, [a6643aed9a0049ed57470b84d929e719], PUP.Optional.DefaultTab, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{7F6AFBF1-E065-4627-A2FD-810366367D01}, Quarantined, [a6643aed9a0049ed57470b84d929e719], PUP.Optional.DefaultTab, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{7F6AFBF1-E065-4627-A2FD-810366367D01}, Quarantined, [a6643aed9a0049ed57470b84d929e719], PUP.Optional.DefaultTab, HKLM\SOFTWARE\WOW6432NODE\CLASSES\DefaultTabBHO.DefaultTabBrowser.1, Quarantined, [a6643aed9a0049ed57470b84d929e719], PUP.Optional.DefaultTab, HKLM\SOFTWARE\CLASSES\WOW6432NODE\DefaultTabBHO.DefaultTabBrowser.1, Quarantined, [a6643aed9a0049ed57470b84d929e719], PUP.Optional.DefaultTab, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{7F6AFBF1-E065-4627-A2FD-810366367D01}, Quarantined, [a6643aed9a0049ed57470b84d929e719], PUP.Optional.DefaultTab, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{7F6AFBF1-E065-4627-A2FD-810366367D01}, Quarantined, [a6643aed9a0049ed57470b84d929e719], PUP.Optional.DefaultTab, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\{7F6AFBF1-E065-4627-A2FD-810366367D01}, Quarantined, [a6643aed9a0049ed57470b84d929e719], PUP.Optional.DefaultTab, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{B2D33ED6-EBBD-467C-BF6F-F175D9B51363}, Quarantined, [59b130f7d0ca67cf5e4209865ca63bc5], PUP.Optional.DefaultTab, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{BAD84EE2-624D-4e7c-A8BB-41EFD720FD77}, Quarantined, [f713de49fb9f0432c4ddeda2cc367789], PUP.Optional.DefaultTab, HKLM\SOFTWARE\CLASSES\APPID\DefaultTabBHO.DLL, Quarantined, [53b7f3341e7c6bcb789a158b7a8924dc], PUP.Optional.DefaultTab, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\DefaultTabBHO.DLL, Quarantined, [a367fb2c603a9d9912001d830cf741bf], PUP.Optional.DefaultTab, HKLM\SOFTWARE\WOW6432NODE\Default Tab, Quarantined, [13f7ac7b3c5e79bd1ff86838946f32ce], PUP.Optional.DefaultTab, HKLM\SOFTWARE\WOW6432NODE\DefaultTab, Quarantined, [848605229703f1454ccc851bc83b1be5], PUP.Optional.DefaultTab, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\DefaultTabBHO.DLL, Quarantined, [b456fb2cb5e57bbb81918b159c67f709], PUP.Optional.DefaultTab, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\kdidombaedgpfiiedeimiebkmbilgmlc, Quarantined, [0802998e9406ef47c653ecb4db28a25e], PUP.Optional.DefaultTab, HKCU\SOFTWARE\Default Tab, Quarantined, [7f8b56d15d3d71c525f01f81c83b946c], PUP.Optional.DefaultTab, HKCU\SOFTWARE\DefaultTab, Quarantined, [3ad0d45316845dd92ceac3dd41c259a7], PUP.Optional.DefaultTab, HKCU\SOFTWARE\APPDATALOW\SOFTWARE\DefaultTab, Quarantined, [bc4e91962179e5512be9e7b9f2118977], PUP.Optional.MySearchResults, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{DA58A037-9798-4A46-A740-21039973307A}, Quarantined, [44c67ea95a4066d0f465eebfc142d729], PUP.Optional.DefaultTab, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DefaultTab, Quarantined, [e525c265faa030068ecd238f887af40c], Registry Values: 1 PUP.Optional.MySearchResults, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{DA58A037-9798-4A46-A740-21039973307A}|URL, http://www.mysearchresults.com/search?c=9999&t=01&q={searchTerms}, Quarantined, [44c67ea95a4066d0f465eebfc142d729] Registry Data: 1 PUP.Optional.MySearchResults, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, http://www.mysearchresults.com/?c=9999&t=01, Good: (www.google.com), Bad: (http://www.mysearchresults.com/?c=9999&t=01),Replaced,[070330f78812e650d8881e59659f03fd] Folders: 19 PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Temp\installdt.tmp, Quarantined, [d535aa7d73274ee82ae7a7f9e41f57a9], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Temp\installdt.tmp\XPI, Quarantined, [d535aa7d73274ee82ae7a7f9e41f57a9], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Temp\installdt.tmp\XPI\defaulttab, Quarantined, [d535aa7d73274ee82ae7a7f9e41f57a9], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Temp\installdt.tmp\XPI\defaulttab\components, Quarantined, [d535aa7d73274ee82ae7a7f9e41f57a9], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Temp\installdt.tmp\XPI\defaulttab\locale, Quarantined, [d535aa7d73274ee82ae7a7f9e41f57a9], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Temp\installdt.tmp\XPI\defaulttab\locale\en-US, Quarantined, [d535aa7d73274ee82ae7a7f9e41f57a9], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Roaming\defaulttab, Delete-on-Reboot, [e525c265faa030068ecd238f887af40c], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Roaming\defaulttab\defaulttab, Delete-on-Reboot, [e525c265faa030068ecd238f887af40c], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\css, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\css\jquery_ui, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\css\jquery_ui\images, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\images, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\images\engines_icons, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\images\injection, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\js, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\plugins, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Program Files (x86)\DefaultTab, Delete-on-Reboot, [7e8ce740e8b20c2add817042f21060a0], Files: 85 PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Roaming\defaulttab\defaulttab\dtupdate.exe, Delete-on-Reboot, [947674b3f9a11f178ca221002ad6837d], PUP.Optional.DefaultTab, C:\Program Files (x86)\DefaultTab\DefaultTabSearch.exe, Delete-on-Reboot, [ec1e8b9cb3e75cda9bacbe60ad57946c], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Roaming\defaulttab\defaulttab\DefaultTabBHO.dll, Quarantined, [a6643aed9a0049ed57470b84d929e719], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Roaming\defaulttab\defaulttab\DefaultTabStart.exe, Quarantined, [ce3ca97eecae67cf3e00188af70939c7], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Roaming\defaulttab\defaulttab\DefaultTabStart64.exe, Quarantined, [c04a34f3bae00f27e955485a57a9cc34], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Roaming\defaulttab\defaulttab\DefaultTabWrap.dll, Quarantined, [88828f987921ac8a5ce21b873ec28e72], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Roaming\defaulttab\defaulttab\DefaultTabWrap64.dll, Quarantined, [fe0c6fb84258ca6c05398d1517e96f91], PUP.Optional.DefaultTab, C:\Users\{username}\Desktop\setup.exe, Quarantined, [c04a40e7d2c89a9cf439938e8d73827e], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions\addon@defaulttab.com.xpi, Quarantined, [7793889fdcbecd69818e316fcd3645bb], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Temp\installdt.tmp\DefaultTab.xpi, Quarantined, [d535aa7d73274ee82ae7a7f9e41f57a9], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Temp\installdt.tmp\XPI\defaulttab\locale\en-US\defaulttab.properties, Quarantined, [d535aa7d73274ee82ae7a7f9e41f57a9], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Roaming\defaulttab\defaulttab\addon.ico, Quarantined, [e525c265faa030068ecd238f887af40c], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Roaming\defaulttab\defaulttab\amazon_ie.ico, Quarantined, [e525c265faa030068ecd238f887af40c], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Roaming\defaulttab\defaulttab\DefaultTabBHO.cfg, Quarantined, [e525c265faa030068ecd238f887af40c], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Roaming\defaulttab\defaulttab\defaulttabuninstaller.exe, Quarantined, [e525c265faa030068ecd238f887af40c], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Roaming\defaulttab\defaulttab\DT.ico, Quarantined, [e525c265faa030068ecd238f887af40c], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Roaming\defaulttab\defaulttab\ebay_ie.ico, Quarantined, [e525c265faa030068ecd238f887af40c], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Roaming\defaulttab\defaulttab\facebook_ie.ico, Quarantined, [e525c265faa030068ecd238f887af40c], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Roaming\defaulttab\defaulttab\searchhere.ico, Quarantined, [e525c265faa030068ecd238f887af40c], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Roaming\defaulttab\defaulttab\search_here_ie.ico, Quarantined, [e525c265faa030068ecd238f887af40c], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Roaming\defaulttab\defaulttab\twitter_ie.ico, Quarantined, [e525c265faa030068ecd238f887af40c], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Roaming\defaulttab\defaulttab\uninstalldt.exe, Quarantined, [e525c265faa030068ecd238f887af40c], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Roaming\defaulttab\defaulttab\wikipedia_ie.ico, Quarantined, [e525c265faa030068ecd238f887af40c], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\18x18.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\background.html, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\blank.html, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\manifest.json, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\manifest_no_button.json, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\new_tab.html, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\search_box.html, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\css\injection.css, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\css\jquery_ui\jquery-ui-1.8.16.custom.css, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\css\jquery_ui\images\ui-bg_flat_0_aaaaaa_40x100.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\css\jquery_ui\images\ui-bg_flat_75_ffffff_40x100.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\css\jquery_ui\images\ui-bg_glass_55_fbf9ee_1x400.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\css\jquery_ui\images\ui-bg_glass_65_ffffff_1x400.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\css\jquery_ui\images\ui-bg_glass_75_dadada_1x400.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\css\jquery_ui\images\ui-bg_glass_75_e6e6e6_1x400.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\css\jquery_ui\images\ui-bg_glass_95_fef1ec_1x400.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\css\jquery_ui\images\ui-bg_highlight-soft_75_cccccc_1x100.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\css\jquery_ui\images\ui-icons_222222_256x240.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\css\jquery_ui\images\ui-icons_2e83ff_256x240.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\css\jquery_ui\images\ui-icons_454545_256x240.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\css\jquery_ui\images\ui-icons_888888_256x240.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\css\jquery_ui\images\ui-icons_cd0a0a_256x240.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\images\help.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\images\engines_icons\Bing.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\images\engines_icons\Google.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\images\engines_icons\Search here.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\images\engines_icons\Yahoo.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\images\injection\search_bottom_border_bg.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\images\injection\bullet_arrow_down.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\images\injection\bullet_arrow_down_old.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\images\injection\icon.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\images\injection\search-inner-wrapper.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\images\injection\search-left.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\images\injection\search_arrow_top_button.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\images\injection\search_arrow_top_button_hovered.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\images\injection\search_bottom_bg.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\images\injection\search_bottom_left_before_corner.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\images\injection\search_bottom_left_corner.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\images\injection\search_bottom_right_before_corner.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\images\injection\search_bottom_right_corner.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\images\injection\search_left_border_bg.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\images\injection\search_left_bottom_border_bg.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\images\injection\search_middle_bg.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\images\injection\search_right_border_bg.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\images\injection\search_right_bottom_border_bg.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\images\injection\search_top_bg.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\images\injection\search_top_left_before_corner.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\images\injection\search_top_left_corner.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\images\injection\search_top_right_before_corner.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\images\injection\search_top_right_corner.png, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\js\bg.js, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\js\ConfigManager.js, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\js\content.js, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\js\InjectionManager.js, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\js\jquery-1.7.1.min.js, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\js\jquery-ui-1.8.16.custom.min.js, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\js\jquery.guid.js, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\js\newTab.js, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\js\SearchBox.js, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.29_1\plugins\npDefaultTabSearch.dll, Quarantined, [c04acb5ccfcbce689bc21999798924dc], PUP.Optional.DefaultTab, C:\Program Files (x86)\DefaultTab\DefaultTab.crx, Quarantined, [7e8ce740e8b20c2add817042f21060a0], PUP.Optional.DefaultTab, C:\Program Files (x86)\DefaultTab\uid, Quarantined, [7e8ce740e8b20c2add817042f21060a0], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  2. What is PC Accelerate Pro? The Malwarebytes research team has determined that PC Accelerate Pro is a fake system optimizer. These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems. More information can be found on our Malwarebytes Unpacked blog. How do I know if I am infected with PC Accelerate Pro? This is how the main screen of the system optimizer looks: You will find these icons in your taskbar and on your desktop: and these icons in the taskbar of almost every other program: And you may see these screens during "operations": You may see this entry in your list of installed programs: How did PC Accelerate Pro get on my computer? These so-called system optimizers use different methods of getting installed. This particular one was bundled by other software. How do I remove PC Accelerate Pro? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of PC Accelerate Pro? No, Malwarebytes' Anti-Malware removes PC Accelerate Pro completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this system optimizer. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the PC Accelerate Pro installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for experts You may see these entries in FRST logs: (Installer Technology) C:\Program Files (x86)\PCAcceleratePro\PCAcceleratePro.exe (Installer Technology) C:\Program Files (x86)\InstantSupport\InstantSupport.exe HKLM-x32\...\Run: [PCAcceleratePro] => C:\Program Files (x86)\PCAcceleratePro\PCAcceleratePro.exe [8184128 2016-07-15] (Installer Technology) HKLM-x32\...\Run: [InstantSupport] => C:\Program Files (x86)\InstantSupport\InstantSupport.exe [5225792 2016-07-15] (Installer Technology) C:\Users\Public\Desktop\Instant Support.lnk C:\Users\Public\Desktop\PCAcceleratePro.lnk C:\Users\{username}\AppData\Roaming\PCAcceleratePro C:\Users\{username}\AppData\Roaming\InstantSupport C:\ProgramData\PCAcceleratePro C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PCAcceleratePro C:\ProgramData\Microsoft\Windows\Start Menu\Programs\InstantSupport C:\Program Files (x86)\InstantSupport C:\Program Files (x86)\PCAcceleratePro PCAcceleratePro & Instant support (HKLM-x32\...\PCAcceleratePro & Instant support) (Version: 1.0.23.2 - Installer Technology) () C:\Program Files (x86)\PCAcceleratePro\Scanner.dll () C:\Program Files (x86)\PCAcceleratePro\BrowserUtils.dll Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\InstantSupport Adds the file 1.txt"="7/21/2016 8:51 AM, 1 bytes, A Adds the file helper.exe"="7/15/2016 2:56 PM, 143680 bytes, A Adds the file InstantSupport.exe"="7/15/2016 2:56 PM, 5225792 bytes, A Adds the file InstantSupport64.dll"="7/15/2016 2:56 PM, 236864 bytes, A Adds the folder C:\Program Files (x86)\InstantSupport\languages Adds the file english.lng"="7/15/2016 2:26 PM, 5888 bytes, A Adds the file russian.lng"="7/15/2016 2:26 PM, 5580 bytes, A Adds the folder C:\Program Files (x86)\PCAcceleratePro Adds the file 1.txt"="7/21/2016 8:51 AM, 1 bytes, A Adds the file ap.ico"="6/20/2016 8:36 AM, 270398 bytes, A Adds the file BrowserUtils.dll"="7/15/2016 2:34 PM, 654336 bytes, A Adds the file data"="7/15/2016 2:26 PM, 128 bytes, A Adds the file driverhelper.dll"="7/15/2016 2:56 PM, 406336 bytes, A Adds the file driverhelper64.dll"="7/15/2016 2:56 PM, 486208 bytes, A Adds the file DriverInstallTool.exe"="7/15/2016 2:56 PM, 2327360 bytes, A Adds the file DriverInstallToolx64.exe"="7/15/2016 2:56 PM, 2901824 bytes, A Adds the file helper.exe"="7/15/2016 2:56 PM, 143680 bytes, A Adds the file ISSetup.exe"="7/15/2016 2:56 PM, 1923296 bytes, A Adds the file libav.dll"="6/22/2016 6:48 PM, 6416896 bytes, A Adds the file libeay32.dll"="2/1/2016 12:37 PM, 1177600 bytes, A Adds the file libssl32.dll"="2/1/2016 12:37 PM, 232960 bytes, A Adds the file libunrar.dll"="6/22/2016 6:48 PM, 53248 bytes, A Adds the file libunrar_iface.dll"="6/22/2016 6:48 PM, 15360 bytes, A Adds the file msvcp110.dll"="2/1/2016 12:37 PM, 535008 bytes, A Adds the file msvcr110.dll"="2/1/2016 12:37 PM, 875472 bytes, A Adds the file PCAcceleratePro.exe"="7/15/2016 2:56 PM, 8184128 bytes, A Adds the file PCAccelerateProAS.exe"="7/15/2016 2:56 PM, 230304 bytes, A Adds the file PCAccelerateProUpdater.exe"="7/15/2016 2:56 PM, 99136 bytes, A Adds the file RPCAcceleratePro.exe"="7/15/2016 2:56 PM, 90432 bytes, A Adds the file Scanner.dll"="7/15/2016 2:56 PM, 331584 bytes, A Adds the file uninstall.exe"="7/21/2016 8:50 AM, 148031 bytes, A Adds the folder C:\Program Files (x86)\PCAcceleratePro\languages Adds the file english.lng"="7/4/2016 4:51 PM, 25294 bytes, A Adds the file russian.lng"="7/4/2016 4:51 PM, 24626 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\InstantSupport Adds the file Instant Support.lnk"="7/21/2016 8:51 AM, 1117 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PCAcceleratePro Adds the file PCAcceleratePro.lnk"="7/21/2016 8:51 AM, 1093 bytes, A Adds the folder C:\ProgramData\PCAcceleratePro Adds the file dwsm.dat"="2/16/2016 8:49 AM, 31712 bytes, A Adds the file PCAccelerateProUpdater.conf"="7/21/2016 8:51 AM, 53 bytes, A Adds the file RPCAcceleratePro.conf"="7/21/2016 8:51 AM, 329 bytes, A Adds the file wsm.dat"="2/16/2016 8:49 AM, 31712 bytes, A Adds the folder C:\ProgramData\PCAcceleratePro\database Adds the file mirrors.dat"="7/21/2016 8:52 AM, 104 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\InstantSupport Adds the file InstantSupport.cfg"="7/21/2016 8:53 AM, 202 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\PCAcceleratePro Adds the file PCAcceleratePro.cfg"="7/21/2016 8:51 AM, 279 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file Instant Support.lnk"="7/21/2016 8:51 AM, 1099 bytes, A Adds the file PCAcceleratePro.lnk"="7/21/2016 8:51 AM, 1075 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\InstantSupport] "aff"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION] "PCAcceleratePro.exe"="REG_DWORD", 8888 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "InstantSupport"="REG_SZ", ""C:\Program Files (x86)\InstantSupport\InstantSupport.exe" -startup" "PCAcceleratePro"="REG_SZ", ""C:\Program Files (x86)\PCAcceleratePro\PCAcceleratePro.exe" -startup" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PCAcceleratePro & Instant support] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\PCAcceleratePro\ap.ico" "DisplayName"="REG_SZ", "PCAcceleratePro & Instant support" "DisplayVersion"="REG_SZ", "1.0.23.2" "Publisher"="REG_SZ", "Installer Technology" "UninstallString"="REG_SZ", "C:\Program Files (x86)\PCAcceleratePro\uninstall.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PCAcceleratePro] "(Default)"="REG_SZ", "C:\Program Files (x86)\PCAcceleratePro" "aff"="REG_SZ", "" "id"="REG_SZ", "c5d8e6831ffa10bbb0222327ca648824" [HKEY_CURRENT_USER\Software\ACPTab] "hb"="REG_DWORD", 1 [HKEY_CURRENT_USER\Software\InSTab] "hb"="REG_DWORD", 1 [HKEY_CURRENT_USER\Software\InstantSupport] "Assistent"="REG_DWORD", 0 "ServiceHeartBeat"="REG_SZ", "201607210851" "TrayWindow"="REG_DWORD", 132348 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION] "PCAcceleratePro.exe"="REG_DWORD", 8888 [HKEY_CURRENT_USER\Software\PCAcceleratePro] "ServiceHeartBeat"="REG_SZ", "201607210851" Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 7/21/2016 Scan Time: 9:04 AM Logfile: mbamPCaccelerate.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.07.20.11 Rootkit Database: v2016.05.27.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 315615 Time Elapsed: 9 min, 12 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 2 PUP.Optional.PCAcceleratePro, C:\Program Files (x86)\PCAcceleratePro\PCAcceleratePro.exe, 3792, Delete-on-Reboot, [a8a3091d2c6ed3637c7edb079c65f40c] PUP.Optional.InstantSupport, C:\Program Files (x86)\InstantSupport\InstantSupport.exe, 1492, Delete-on-Reboot, [ee5d9e88d0ca0a2ca6c8af13689bca36] Modules: 2 PUP.Optional.PCAcceleratePro, C:\Program Files (x86)\PCAcceleratePro\BrowserUtils.dll, Delete-on-Reboot, [242784a223775cda8edf8e35857d29d7], PUP.Optional.PCAcceleratePro, C:\Program Files (x86)\PCAcceleratePro\Scanner.dll, Delete-on-Reboot, [242784a223775cda8edf8e35857d29d7], Registry Keys: 8 PUP.Optional.InstantSupport, HKLM\SOFTWARE\CLASSES\CLSID\{48DED1A6-4444-43bA-AD0E-A9CEA7A51A5E}, Quarantined, [ee5d9e88d0ca0a2ca6c8af13689bca36], PUP.Optional.InstantSupport, HKLM\SOFTWARE\WOW6432NODE\InstantSupport, Quarantined, [3615ae78287261d53d414b8c18eb5aa6], PUP.Optional.PCAcceleratePro, HKLM\SOFTWARE\WOW6432NODE\PCAcceleratePro, Quarantined, [183347df613985b191f5a63159aaed13], PUP.Optional.InstantSupport, HKCU\SOFTWARE\InSTab, Quarantined, [3219cc5a5248122422a343b93fc4f50b], PUP.Optional.PCAcceleratePro, HKCU\SOFTWARE\PCAcceleratePro, Quarantined, [24271610613931054939b027d72c54ac], PUP.Optional.PCAcceleratePro, HKCU\SOFTWARE\ACPTAB, Quarantined, [f952e83ea5f5a19514476c91b2510bf5], PUP.Optional.InstantSupport, HKCU\SOFTWARE\INSTANTSUPPORT, Quarantined, [1e2d32f4801a3ef84d0732af4eb53bc5], PUP.Optional.PCAcceleratePro, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\PCAcceleratePro & Instant support, Quarantined, [242784a223775cda8edf8e35857d29d7], Registry Values: 5 PUP.Optional.PCAcceleratePro, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|PCAcceleratePro, "C:\Program Files (x86)\PCAcceleratePro\PCAcceleratePro.exe" -startup, Quarantined, [a8a3091d2c6ed3637c7edb079c65f40c] PUP.Optional.InstantSupport, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|InstantSupport, "C:\Program Files (x86)\InstantSupport\InstantSupport.exe" -startup, Quarantined, [ee5d9e88d0ca0a2ca6c8af13689bca36] PUP.Optional.PCAcceleratePro, HKCU\SOFTWARE\ACPTAB|hb, 1, Quarantined, [f952e83ea5f5a19514476c91b2510bf5] PUP.Optional.InstantSupport, HKCU\SOFTWARE\INSTANTSUPPORT|Assistent, 0, Quarantined, [1e2d32f4801a3ef84d0732af4eb53bc5] PUP.Optional.PCAcceleratePro, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION|PCAcceleratePro.exe, 8888, Quarantined, [76d50c1aa6f437ff299e22c1a65dc739] Registry Data: 0 (No malicious items detected) Folders: 10 PUP.Optional.InstantSupport, C:\Users\{username}\AppData\Roaming\InstantSupport, Quarantined, [e16adc4a9a00c670aebe99294ab931cf], PUP.Optional.InstantSupport, C:\Program Files (x86)\InstantSupport, Delete-on-Reboot, [ee5d9e88d0ca0a2ca6c8af13689bca36], PUP.Optional.InstantSupport, C:\Program Files (x86)\InstantSupport\languages, Delete-on-Reboot, [ee5d9e88d0ca0a2ca6c8af13689bca36], PUP.Optional.InstantSupport, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\InstantSupport, Quarantined, [3f0c66c003973600501b14afc33f34cc], PUP.Optional.PCAcceleratePro, C:\ProgramData\PCAcceleratePro, Delete-on-Reboot, [2e1d65c11b7f84b298d4dde6d1319a66], PUP.Optional.PCAcceleratePro, C:\ProgramData\PCAcceleratePro\database, Quarantined, [2e1d65c11b7f84b298d4dde6d1319a66], PUP.Optional.PCAcceleratePro, C:\Users\{username}\AppData\Roaming\PCAcceleratePro, Quarantined, [3f0c23035446cc6a99d34c7705fddd23], PUP.Optional.PCAcceleratePro, C:\Program Files (x86)\PCAcceleratePro, Delete-on-Reboot, [242784a223775cda8edf8e35857d29d7], PUP.Optional.PCAcceleratePro, C:\Program Files (x86)\PCAcceleratePro\languages, Quarantined, [242784a223775cda8edf8e35857d29d7], PUP.Optional.PCAcceleratePro, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PCAcceleratePro, Quarantined, [400b41e5f8a2eb4b91de348f19e9d52b], Files: 43 PUP.Optional.PCAcceleratePro, C:\Program Files (x86)\PCAcceleratePro\PCAcceleratePro.exe, Delete-on-Reboot, [a8a3091d2c6ed3637c7edb079c65f40c], PUP.Optional.PCAcceleratePro, C:\Users\{username}\Desktop\pcinst.exe, Quarantined, [83c8b47274268caa8b6f4b97a06117e9], PUP.Optional.InstantSupport, C:\Users\{username}\AppData\Roaming\InstantSupport\InstantSupport.cfg, Quarantined, [e16adc4a9a00c670aebe99294ab931cf], PUP.Optional.InstantSupport, C:\Users\Public\Desktop\Instant Support.lnk, Quarantined, [68e32ef8c2d84fe785e8e4de4fb44cb4], PUP.Optional.InstantSupport, C:\Program Files (x86)\InstantSupport\1.txt, Quarantined, [ee5d9e88d0ca0a2ca6c8af13689bca36], PUP.Optional.InstantSupport, C:\Program Files (x86)\InstantSupport\helper.exe, Quarantined, [ee5d9e88d0ca0a2ca6c8af13689bca36], PUP.Optional.InstantSupport, C:\Program Files (x86)\InstantSupport\InstantSupport.exe, Delete-on-Reboot, [ee5d9e88d0ca0a2ca6c8af13689bca36], PUP.Optional.InstantSupport, C:\Program Files (x86)\InstantSupport\InstantSupport64.dll, Quarantined, [ee5d9e88d0ca0a2ca6c8af13689bca36], PUP.Optional.InstantSupport, C:\Program Files (x86)\InstantSupport\languages\english.lng, Quarantined, [ee5d9e88d0ca0a2ca6c8af13689bca36], PUP.Optional.InstantSupport, C:\Program Files (x86)\InstantSupport\languages\russian.lng, Quarantined, [ee5d9e88d0ca0a2ca6c8af13689bca36], PUP.Optional.PCAcceleratePro, C:\Users\Public\Desktop\PCAcceleratePro.lnk, Quarantined, [f4579b8bfb9f6dc9bbc65e79758e41bf], PUP.Optional.InstantSupport, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\InstantSupport\Instant Support.lnk, Quarantined, [3f0c66c003973600501b14afc33f34cc], PUP.Optional.PCAcceleratePro, C:\ProgramData\PCAcceleratePro\dwsm.dat, Quarantined, [2e1d65c11b7f84b298d4dde6d1319a66], PUP.Optional.PCAcceleratePro, C:\ProgramData\PCAcceleratePro\PCAccelerateProUpdater.conf, Quarantined, [2e1d65c11b7f84b298d4dde6d1319a66], PUP.Optional.PCAcceleratePro, C:\ProgramData\PCAcceleratePro\RPCAcceleratePro.conf, Quarantined, [2e1d65c11b7f84b298d4dde6d1319a66], PUP.Optional.PCAcceleratePro, C:\ProgramData\PCAcceleratePro\wsm.dat, Quarantined, [2e1d65c11b7f84b298d4dde6d1319a66], PUP.Optional.PCAcceleratePro, C:\ProgramData\PCAcceleratePro\database\mirrors.dat, Quarantined, [2e1d65c11b7f84b298d4dde6d1319a66], PUP.Optional.PCAcceleratePro, C:\Users\{username}\AppData\Roaming\PCAcceleratePro\PCAcceleratePro.cfg, Quarantined, [3f0c23035446cc6a99d34c7705fddd23], PUP.Optional.PCAcceleratePro, C:\Program Files (x86)\PCAcceleratePro\libeay32.dll, Quarantined, [242784a223775cda8edf8e35857d29d7], PUP.Optional.PCAcceleratePro, C:\Program Files (x86)\PCAcceleratePro\1.txt, Quarantined, [242784a223775cda8edf8e35857d29d7], PUP.Optional.PCAcceleratePro, C:\Program Files (x86)\PCAcceleratePro\ap.ico, Quarantined, [242784a223775cda8edf8e35857d29d7], PUP.Optional.PCAcceleratePro, C:\Program Files (x86)\PCAcceleratePro\BrowserUtils.dll, Delete-on-Reboot, [242784a223775cda8edf8e35857d29d7], PUP.Optional.PCAcceleratePro, C:\Program Files (x86)\PCAcceleratePro\data, Quarantined, [242784a223775cda8edf8e35857d29d7], PUP.Optional.PCAcceleratePro, C:\Program Files (x86)\PCAcceleratePro\driverhelper.dll, Quarantined, [242784a223775cda8edf8e35857d29d7], PUP.Optional.PCAcceleratePro, C:\Program Files (x86)\PCAcceleratePro\driverhelper64.dll, Quarantined, [242784a223775cda8edf8e35857d29d7], PUP.Optional.PCAcceleratePro, C:\Program Files (x86)\PCAcceleratePro\DriverInstallTool.exe, Quarantined, [242784a223775cda8edf8e35857d29d7], PUP.Optional.PCAcceleratePro, C:\Program Files (x86)\PCAcceleratePro\DriverInstallToolx64.exe, Quarantined, [242784a223775cda8edf8e35857d29d7], PUP.Optional.PCAcceleratePro, C:\Program Files (x86)\PCAcceleratePro\helper.exe, Quarantined, [242784a223775cda8edf8e35857d29d7], PUP.Optional.PCAcceleratePro, C:\Program Files (x86)\PCAcceleratePro\ISSetup.exe, Quarantined, [242784a223775cda8edf8e35857d29d7], PUP.Optional.PCAcceleratePro, C:\Program Files (x86)\PCAcceleratePro\libav.dll, Quarantined, [242784a223775cda8edf8e35857d29d7], PUP.Optional.PCAcceleratePro, C:\Program Files (x86)\PCAcceleratePro\libssl32.dll, Quarantined, [242784a223775cda8edf8e35857d29d7], PUP.Optional.PCAcceleratePro, C:\Program Files (x86)\PCAcceleratePro\libunrar.dll, Quarantined, [242784a223775cda8edf8e35857d29d7], PUP.Optional.PCAcceleratePro, C:\Program Files (x86)\PCAcceleratePro\libunrar_iface.dll, Quarantined, [242784a223775cda8edf8e35857d29d7], PUP.Optional.PCAcceleratePro, C:\Program Files (x86)\PCAcceleratePro\msvcp110.dll, Quarantined, [242784a223775cda8edf8e35857d29d7], PUP.Optional.PCAcceleratePro, C:\Program Files (x86)\PCAcceleratePro\msvcr110.dll, Quarantined, [242784a223775cda8edf8e35857d29d7], PUP.Optional.PCAcceleratePro, C:\Program Files (x86)\PCAcceleratePro\PCAccelerateProAS.exe, Quarantined, [242784a223775cda8edf8e35857d29d7], PUP.Optional.PCAcceleratePro, C:\Program Files (x86)\PCAcceleratePro\PCAccelerateProUpdater.exe, Quarantined, [242784a223775cda8edf8e35857d29d7], PUP.Optional.PCAcceleratePro, C:\Program Files (x86)\PCAcceleratePro\RPCAcceleratePro.exe, Quarantined, [242784a223775cda8edf8e35857d29d7], PUP.Optional.PCAcceleratePro, C:\Program Files (x86)\PCAcceleratePro\Scanner.dll, Delete-on-Reboot, [242784a223775cda8edf8e35857d29d7], PUP.Optional.PCAcceleratePro, C:\Program Files (x86)\PCAcceleratePro\uninstall.exe, Quarantined, [242784a223775cda8edf8e35857d29d7], PUP.Optional.PCAcceleratePro, C:\Program Files (x86)\PCAcceleratePro\languages\english.lng, Quarantined, [242784a223775cda8edf8e35857d29d7], PUP.Optional.PCAcceleratePro, C:\Program Files (x86)\PCAcceleratePro\languages\russian.lng, Quarantined, [242784a223775cda8edf8e35857d29d7], PUP.Optional.PCAcceleratePro, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PCAcceleratePro\PCAcceleratePro.lnk, Quarantined, [400b41e5f8a2eb4b91de348f19e9d52b], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  3. What is DNSBlock? The Malwarebytes research team has determined that DNSBlock is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This one also displays advertisements. How do I know if my computer is affected by DNSBlock? You may see this entry in your list of installed software: these very non descriptive browser add-ons: and this if you use the "More information" link in Internet Explorer: How did DNSBlock get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was bundled with other software. How do I remove DNSBlock? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of DNSBlock? No, Malwarebytes' Anti-Malware removes DNSBlock completely. You may be prompted twice to reboot after removal, if Malwarebytes Anti-Malware needs to restore your connection after removing this LSP-hijacker. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the DNSBlock hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: () C:\Windows\System32\DnsBlockUpdateSvc.exe () C:\Program Files (x86)\DnsBlock\DnsBlockTray.exe HKLM-x32\...\Run: [DnsBlock] => C:\Program Files (x86)\DnsBlock\DnsBlockTray.exe [826912 2016-07-20] () GroupPolicy: Restriction - Chrome <======= ATTENTION CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION Winsock: Catalog5 05 C:\Windows\SysWOW64\DnsBlockA.dll [343584 2016-07-20] (DnsBlock) Winsock: Catalog5 08 C:\Windows\SysWOW64\DnsBlockB.dll [343584 2016-07-20] (DnsBlock) Winsock: Catalog5-x64 05 C:\Windows\system32\DnsBlockA.dll [434208 2016-07-20] (DnsBlock) Winsock: Catalog5-x64 08 C:\Windows\system32\DnsBlockB.dll [433696 2016-07-20] (DnsBlock) BHO: - -> {C654F3FE-8E84-4BB7-87CF-8D9171FC3C73} -> C:\Program Files\{F4455705-0398-4B66-9A2C-3CF10B194BD7}\{7200DD06-FDB1-46BC-81AC-5535801343FA}.bin [2016-07-20] ( ) BHO-x32: - -> {C654F3FE-8E84-4BB7-87CF-8D9171FC3C73} -> C:\Program Files (x86)\{8363D01B-0B81-4A87-9E37-5D69EED4CDF7}\{AA040DA0-8E0F-4AF6-BE2E-A9D3C4F5E70F}.bin [2016-07-20] ( ) FF user.js: detected! => C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\user.js [2016-07-20] FF Extension: - C:\Windows\Installer\{2871ED58-8B9B-41E7-8478-9F371BDDE793}\{D65891E6-79FD-4AAE-95ED-7E49775AD4F8}.xpi [2016-07-20] FF HKLM-x32\...\Firefox\Extensions: [{D65891E6-79FD-4AAE-95ED-7E49775AD4F8}] - C:\Windows\Installer\{2871ED58-8B9B-41E7-8478-9F371BDDE793}\{D65891E6-79FD-4AAE-95ED-7E49775AD4F8}.xpi R2 DnsBlockUpdateSvc; C:\Windows\system32\DnsBlockUpdateSvc.exe [151072 2016-07-20] () [File not signed] C:\Windows\SysWOW64\iscsjexe.dll C:\Program Files\{F4455705-0398-4B66-9A2C-3CF10B194BD7} C:\Program Files (x86)\{8363D01B-0B81-4A87-9E37-5D69EED4CDF7} C:\Windows\system32\DnsBlockUpdateSvc.exe C:\Windows\SysWOW64\dns.block C:\Windows\system32\dns.block (DnsBlock) C:\Windows\system32\DnsBlockA.dll (DnsBlock) C:\Windows\system32\DnsBlockB.dll (DnsBlock) C:\Windows\SysWOW64\DnsBlockB.dll (DnsBlock) C:\Windows\SysWOW64\DnsBlockA.dll C:\Users\{username}\AppData\Local\DnsBlock C:\Program Files (x86)\DnsBlock DNSBlock (HKLM\...\{7b5da7f5-de7d-4e00-b330-a2e08e460095}) (Version: 1.0.0 - NETNS GMBH) AlternateDataStreams: C:\Windows\system32\DnsBlockUpdateSvc.exe:IID [16] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\{F4455705-0398-4B66-9A2C-3CF10B194BD7} Adds the file {7200DD06-FDB1-46BC-81AC-5535801343FA}.bin"="7/20/2016 8:32 AM, 494080 bytes, A Adds the file config.json"="7/20/2016 8:32 AM, 122 bytes, A Adds the file def.bin"="7/20/2016 8:32 AM, 688480 bytes, A Adds the folder C:\Program Files (x86)\{8363D01B-0B81-4A87-9E37-5D69EED4CDF7} Adds the file {AA040DA0-8E0F-4AF6-BE2E-A9D3C4F5E70F}.bin"="7/20/2016 8:32 AM, 396288 bytes, A Adds the file config.json"="7/20/2016 8:32 AM, 122 bytes, A Adds the file def.bin"="7/20/2016 8:32 AM, 688480 bytes, A Adds the folder C:\Program Files (x86)\DnsBlock Adds the file DnsBlockTray.exe"="7/20/2016 8:31 AM, 826912 bytes, A Adds the file uninst.exe"="7/20/2016 8:16 AM, 1589792 bytes, A In the existing folder C:\Program Files (x86)\Google\Chrome\Application Adds the file wtsapi32.dll"="7/20/2016 8:32 AM, 12288 bytes, A Adds the folder C:\Users\{username}\AppData\Local\DnsBlock In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default Adds the file user.js"="7/20/2016 8:32 AM, 176 bytes, A Adds the folder C:\Windows\Installer\{1AF40EF3-0E79-465D-806E-7C4C54CEF979} Adds the file cpmnpnlnpnjhgdpfonblbjphccmhjaolorx"="7/20/2016 8:32 AM, 789768 bytes, A Adds the file xpmnpnlnpnjhgdpfonblbjphccmhjaoloml"="7/20/2016 8:32 AM, 330 bytes, A Adds the folder C:\Windows\Installer\{2871ED58-8B9B-41E7-8478-9F371BDDE793} Adds the file {D65891E6-79FD-4AAE-95ED-7E49775AD4F8}.xpi"="7/20/2016 8:32 AM, 699360 bytes, A In the existing folder C:\Windows\System32 Adds the file dns.block"="7/20/2016 8:31 AM, 471968 bytes, A Adds the file DnsBlockA.dll"="7/20/2016 8:31 AM, 434208 bytes, A Adds the file DnsBlockB.dll"="7/20/2016 8:31 AM, 433696 bytes, A Adds the file DnsBlockUpdateSvc.exe"="7/20/2016 8:32 AM, 151072 bytes, A In the existing folder C:\Windows\SysWOW64 Adds the file dns.block"="7/20/2016 8:31 AM, 471968 bytes, A Adds the file DnsBlockA.dll"="7/20/2016 8:31 AM, 343584 bytes, A Adds the file DnsBlockB.dll"="7/20/2016 8:31 AM, 343584 bytes, A Adds the file iscsjexe.dll"="7/20/2016 8:32 AM, 5120 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1C6F51F8-BCE6-4702-8952-6A8233359FBC}] "(Default)"="REG_SZ", "DPBHO" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\DPBHO.DLL] "AppID"="REG_SZ", "{1C6F51F8-BCE6-4702-8952-6A8233359FBC}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}] "(Default)"="REG_SZ", "-" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}\Implemented Categories] "(Default)"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}] "(Default)"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}\InprocServer32] "(Default)"="REG_SZ", "C:\Program Files\{F4455705-0398-4B66-9A2C-3CF10B194BD7}\{7200DD06-FDB1-46BC-81AC-5535801343FA}.bin" "ThreadingModel"="REG_SZ", "Apartment" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}\ProgID] "(Default)"="REG_SZ", "DPBHO.DownloadProtect.1" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}\Programmable] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}\TypeLib] "(Default)"="REG_SZ", "{E7BF74EE-9106-4113-B216-2F980BA29141}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}\VersionIndependentProgID] "(Default)"="REG_SZ", "DPBHO.DownloadProtect" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DPBHO.DownloadProtect] "(Default)"="REG_SZ", "DownloadProtect Extension" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DPBHO.DownloadProtect\CLSID] "(Default)"="REG_SZ", "{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DPBHO.DownloadProtect\CurVer] "(Default)"="REG_SZ", "DPBHO.DownloadProtect.1" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DPBHO.DownloadProtect.1] "(Default)"="REG_SZ", "DownloadProtect Extension" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DPBHO.DownloadProtect.1\CLSID] "(Default)"="REG_SZ", "{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F2DB3739-77FB-41EB-9ED3-ABF34DF2DBF7}] "(Default)"="REG_SZ", "IDownloadProtect" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F2DB3739-77FB-41EB-9ED3-ABF34DF2DBF7}\ProxyStubClsid32] "(Default)"="REG_SZ", "{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F2DB3739-77FB-41EB-9ED3-ABF34DF2DBF7}\TypeLib] "(Default)"="REG_SZ", "{E7BF74EE-9106-4113-B216-2F980BA29141}" "Version"="REG_SZ", "1.0" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{E7BF74EE-9106-4113-B216-2F980BA29141}\1.0] "(Default)"="REG_SZ", "DPBHO 1.0 Type Library" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{E7BF74EE-9106-4113-B216-2F980BA29141}\1.0\0\win32] "(Default)"="REG_SZ", "C:\Program Files (x86)\{8363D01B-0B81-4A87-9E37-5D69EED4CDF7}\{AA040DA0-8E0F-4AF6-BE2E-A9D3C4F5E70F}.bin" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{E7BF74EE-9106-4113-B216-2F980BA29141}\1.0\0\win64] "(Default)"="REG_SZ", "C:\Program Files\{F4455705-0398-4B66-9A2C-3CF10B194BD7}\{7200DD06-FDB1-46BC-81AC-5535801343FA}.bin" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{E7BF74EE-9106-4113-B216-2F980BA29141}\1.0\FLAGS] "(Default)"="REG_SZ", "0" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{E7BF74EE-9106-4113-B216-2F980BA29141}\1.0\HELPDIR] "(Default)"="REG_SZ", "C:\Program Files\{F4455705-0398-4B66-9A2C-3CF10B194BD7}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}] "(Default)"="REG_SZ", "-" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}\Implemented Categories] "(Default)"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}] "(Default)"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}\InprocServer32] "(Default)"="REG_SZ", "C:\Program Files (x86)\{8363D01B-0B81-4A87-9E37-5D69EED4CDF7}\{AA040DA0-8E0F-4AF6-BE2E-A9D3C4F5E70F}.bin" "ThreadingModel"="REG_SZ", "Apartment" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}\ProgID] "(Default)"="REG_SZ", "DPBHO.DownloadProtect.1" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}\Programmable] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}\TypeLib] "(Default)"="REG_SZ", "{E7BF74EE-9106-4113-B216-2F980BA29141}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}\VersionIndependentProgID] "(Default)"="REG_SZ", "DPBHO.DownloadProtect" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F2DB3739-77FB-41EB-9ED3-ABF34DF2DBF7}] "(Default)"="REG_SZ", "IDownloadProtect" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F2DB3739-77FB-41EB-9ED3-ABF34DF2DBF7}\ProxyStubClsid32] "(Default)"="REG_SZ", "{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F2DB3739-77FB-41EB-9ED3-ABF34DF2DBF7}\TypeLib] "(Default)"="REG_SZ", "{E7BF74EE-9106-4113-B216-2F980BA29141}" "Version"="REG_SZ", "1.0" [HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome] "9c81da33"="REG_SZ", "15BMupdVJdq0gRyd0Gyb2vblT1CYCnGH8giEm/pnVrOhXyGc+2PMVAMQZDS97+h5+chrpjTovCnMXtwEMj4HrKZBFEcR7cQyPQHWi6MRSJu4IqwIWKOVInEnpFavCAe9Se5EhuyoAB+kF0Oymjdmd1RNM5zTbjZjPkzjy1FJ35Je46YZSI3m9e+iRhzSPQzhU7nWUlkURMB8ggZUHKFpJCrB7YtgIGJusFPn7NemqnH8/x906MYVi2/Ts68OxkOSd2Ww6gR2ytdR/Vmb2ZAcSYAeV25wky9ggvhBomvd6sTJ1z2jf+VJbdhmqRnbxGhMIQeUTH6c7Jnd/WECOzh/xsnaWTxBrmDpMajcqceS0n+lI60sLa7usywV/RE63iaw7OtX7NeIbqMkI6x+94YvPikRwLpZv4dUsoRS8rDq4j0=" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer] "c46139b8"="REG_SZ", "SaAV3zIWw1fWUsk/4n1/K6YGSR5EEDwJm8O5VeIK1JqY9GdlGaWOpDs8QrtkhPssyfTUBo2qLKkR9w4FPXL0ZL05GabWOATbTKRBJ5XdoDi50JhiG0jS03hetNN7ggPuGQMCNxbbq04ofjTqS+xeyjhddV007EpqcrySBk8w4vPNE4d/Y3aoeWvQ0eHGkVGzU3fuZnGU2X4=" "c4613a1d"="REG_SZ", "SAM9S09hHMZ4qIy1SNN0vNktmaR0NMJ2qFteC8uHPPWKJfR6JLdQCm1dkHCs9auKSmOevHnu6UMJ4I5crzpR9tv9lNT9mW5vH65aimsuzpI7/u9CZGAbvHp0gAFAI3DgTtWZXSaNcnN5FHhuSHhrYKy+LnakoyES9cIk/5gqiEZjIzeF/TXIiJZJCJ7DVh8s" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}] "(Default)"="REG_SZ", "DownloadProtect Extension" "NoExplorer"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7b5da7f5-de7d-4e00-b330-a2e08e460095}] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\DnsBlock\uninst.exe" "DisplayName"="REG_SZ", "DNSBlock" "DisplayVersion"="REG_SZ", "1.0.0" "EstimatedSize"="REG_DWORD", 4812 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "NETNS GMBH" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\DnsBlock\uninst.exe" uninstall" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox] "06c3cc47"="REG_SZ", "R57pFDOng2R5r3Zrd6B8tXrBf+BnJxg1h/M3M89kFveuYAxypCKqrDbnMr3SUhTgIPFlljn7gFcEZpWls7leiH5EkmdJnpRge4qRBTqGuOJNcRt9xLMmFYT4hTxZ64TzpSkxYmAEjOxZaUhZTiKuGw==" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}] "(Default)"="REG_SZ", "DownloadProtect Extension" "NoExplorer"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "DnsBlock"="REG_SZ", "C:\Program Files (x86)\DnsBlock\DnsBlockTray.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Firefox\Extensions] "{D65891E6-79FD-4AAE-95ED-7E49775AD4F8}"="REG_SZ", "C:\Windows\Installer\{2871ED58-8B9B-41E7-8478-9F371BDDE793}\{D65891E6-79FD-4AAE-95ED-7E49775AD4F8}.xpi" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DnsBlockUpdateSvc] "DisplayName"="REG_SZ", "DnsBlock Update Service" "ErrorControl"="REG_DWORD", 0 "ImagePath"="REG_EXPAND_SZ, "C:\Windows\system32\DnsBlockUpdateSvc.exe" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dnscache] "Id"="REG_SZ", "wx6SQPvZ2drpftOKYLTbmn9c4/mv4KDveB0dPPPvN6Wzli1S1m7xEA==" "if"="REG_SZ", "WxuXNgZkZVg=" Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 7/20/2016 Scan Time: 8:45 AM Logfile: mbamDNSBlock.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.07.20.03 Rootkit Database: v2016.05.27.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 315397 Time Elapsed: 8 min, 22 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 1 PUP.Optional.DNSBlock, C:\Windows\System32\DnsBlockUpdateSvc.exe, 3940, Delete-on-Reboot, [2a1953d39efcf5418e42d0e7f011b54b] Modules: 4 PUP.Optional.DNSBlock, C:\Windows\System32\DnsBlockA.dll, Delete-on-Reboot, [33109096f3a7aa8c8151d9de3cc5c040], PUP.Optional.DNSBlock, C:\Windows\System32\DnsBlockA.dll, Delete-on-Reboot, [33109096f3a7aa8c8151d9de3cc5c040], PUP.Optional.DNSBlock, C:\Windows\System32\DnsBlockB.dll, Delete-on-Reboot, [e36049ddb4e6b87ee7ebbcfb7b86ef11], PUP.Optional.DNSBlock, C:\Windows\System32\DnsBlockB.dll, Delete-on-Reboot, [e36049ddb4e6b87ee7ebbcfb7b86ef11], Registry Keys: 25 PUP.Optional.DNSBlock, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\DnsBlockUpdateSvc, Quarantined, [2a1953d39efcf5418e42d0e7f011b54b], PUP.Optional.DownloadProtect, HKLM\SOFTWARE\CLASSES\CLSID\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}, Quarantined, [083bef378218c2745b63503fa85a9b65], PUP.Optional.DownloadProtect, HKLM\SOFTWARE\CLASSES\CLSID\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}\INPROCSERVER32, Quarantined, [083bef378218c2745b63503fa85a9b65], PUP.Optional.DownloadProtect, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}, Quarantined, [083bef378218c2745b63503fa85a9b65], PUP.Optional.DownloadProtect, HKLM\SOFTWARE\CLASSES\TYPELIB\{E7BF74EE-9106-4113-B216-2F980BA29141}, Quarantined, [083bef378218c2745b63503fa85a9b65], PUP.Optional.DownloadProtect, HKLM\SOFTWARE\CLASSES\INTERFACE\{F2DB3739-77FB-41EB-9ED3-ABF34DF2DBF7}, Quarantined, [083bef378218c2745b63503fa85a9b65], PUP.Optional.DownloadProtect, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{F2DB3739-77FB-41EB-9ED3-ABF34DF2DBF7}, Quarantined, [083bef378218c2745b63503fa85a9b65], PUP.Optional.DownloadProtect, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{F2DB3739-77FB-41EB-9ED3-ABF34DF2DBF7}, Quarantined, [083bef378218c2745b63503fa85a9b65], PUP.Optional.DownloadProtect, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{E7BF74EE-9106-4113-B216-2F980BA29141}, Quarantined, [083bef378218c2745b63503fa85a9b65], PUP.Optional.DownloadProtect, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{E7BF74EE-9106-4113-B216-2F980BA29141}, Quarantined, [083bef378218c2745b63503fa85a9b65], PUP.Optional.DownloadProtect, HKLM\SOFTWARE\CLASSES\DPBHO.DownloadProtect.1, Quarantined, [083bef378218c2745b63503fa85a9b65], PUP.Optional.DownloadProtect, HKLM\SOFTWARE\CLASSES\DPBHO.DownloadProtect, Quarantined, [083bef378218c2745b63503fa85a9b65], PUP.Optional.DownloadProtect, HKLM\SOFTWARE\WOW6432NODE\CLASSES\DPBHO.DownloadProtect, Quarantined, [083bef378218c2745b63503fa85a9b65], PUP.Optional.DownloadProtect, HKLM\SOFTWARE\CLASSES\WOW6432NODE\DPBHO.DownloadProtect, Quarantined, [083bef378218c2745b63503fa85a9b65], PUP.Optional.DownloadProtect, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}, Quarantined, [083bef378218c2745b63503fa85a9b65], PUP.Optional.DownloadProtect, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}, Quarantined, [083bef378218c2745b63503fa85a9b65], PUP.Optional.DownloadProtect, HKLM\SOFTWARE\WOW6432NODE\CLASSES\DPBHO.DownloadProtect.1, Quarantined, [083bef378218c2745b63503fa85a9b65], PUP.Optional.DownloadProtect, HKLM\SOFTWARE\CLASSES\WOW6432NODE\DPBHO.DownloadProtect.1, Quarantined, [083bef378218c2745b63503fa85a9b65], PUP.Optional.DownloadProtect, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}, Quarantined, [083bef378218c2745b63503fa85a9b65], PUP.Optional.DownloadProtect, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}, Quarantined, [083bef378218c2745b63503fa85a9b65], PUP.Optional.DownloadProtect, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}, Quarantined, [083bef378218c2745b63503fa85a9b65], PUP.Optional.DNSBlock, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{7b5da7f5-de7d-4e00-b330-a2e08e460095}, Quarantined, [79cab96d7129c373a52c7f382ed357a9], PUP.Optional.DownloadProtect, HKLM\SOFTWARE\CLASSES\APPID\DPBHO.DLL, Quarantined, [5fe40a1cb3e72115178b01e1bd46b34d], PUP.Optional.DownloadProtect, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\DPBHO.DLL, Quarantined, [74cf4dd9f7a3ad89f4ae03dfb94ae21e], PUP.Optional.DownloadProtect, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\DPBHO.DLL, Quarantined, [e45ffc2a23775bdbc5ddf0f270938d73], Registry Values: 1 PUP.Optional.DownloadProtectExtension, HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\EXTENSIONS|{D65891E6-79FD-4AAE-95ED-7E49775AD4F8}, C:\Windows\Installer\{2871ED58-8B9B-41E7-8478-9F371BDDE793}\{D65891E6-79FD-4AAE-95ED-7E49775AD4F8}.xpi, Quarantined, [f15213136238142219bd811ff0134ab6] Registry Data: 0 (No malicious items detected) Folders: 2 PUP.Optional.DownloadProtect, C:\Windows\Installer\{1AF40EF3-0E79-465D-806E-7C4C54CEF979}, Quarantined, [ec578f976238cc6adef3cad6ef1411ef], PUP.Optional.DownloadProtect.ChrPRST, C:\Windows\Installer\{2871ED58-8B9B-41E7-8478-9F371BDDE793}, Quarantined, [d66d55d14b4f290df73a4c9a2bd8f30d], Files: 15 PUP.Optional.DNSBlock, C:\Windows\System32\DnsBlockA.dll, Delete-on-Reboot, [33109096f3a7aa8c8151d9de3cc5c040], PUP.Optional.DNSBlock, C:\Windows\System32\DnsBlockB.dll, Delete-on-Reboot, [e36049ddb4e6b87ee7ebbcfb7b86ef11], PUP.Optional.DNSBlock, C:\Windows\System32\DnsBlockUpdateSvc.exe, Delete-on-Reboot, [2a1953d39efcf5418e42d0e7f011b54b], PUP.Optional.DownloadProtect, C:\Program Files\{F4455705-0398-4B66-9A2C-3CF10B194BD7}\{7200DD06-FDB1-46BC-81AC-5535801343FA}.bin, Quarantined, [083bef378218c2745b63503fa85a9b65], PUP.Optional.DownloadProtect, C:\Program Files (x86)\{8363D01B-0B81-4A87-9E37-5D69EED4CDF7}\{AA040DA0-8E0F-4AF6-BE2E-A9D3C4F5E70F}.bin, Quarantined, [083bef378218c2745b63503fa85a9b65], PUP.Optional.DNSBlock, C:\Users\{username}\Desktop\DNSBlock.exe, Quarantined, [8cb7e541792170c6ad24af08b051b14f], PUP.Optional.DNSBlock, C:\Program Files (x86)\DnsBlock\uninst.exe, Quarantined, [79cab96d7129c373a52c7f382ed357a9], PUP.Optional.DNSBlock, C:\Windows\SysWOW64\DnsBlockA.dll, Delete-on-Reboot, [2320b373aeece94dba1814a3679af808], PUP.Optional.DNSBlock, C:\Windows\SysWOW64\DnsBlockB.dll, Delete-on-Reboot, [6bd8f135b7e34de9fdd5bcfb857c6f91], Trojan.Agent.WSB, C:\Windows\SysWOW64\iscsjexe.dll, Quarantined, [cb78d155faa0c07644d0955eba47a15f], PUP.Optional.DNSBlocker.BrwsrFlsh, C:\Windows\System32\dns.block, Quarantined, [47fc70b665351125b4c3c8cda65d5ba5], PUP.Optional.DNSBlocker.BrwsrFlsh, C:\Windows\SysWOW64\dns.block, Quarantined, [80c38d99a3f765d186f17f16bd46cf31], PUP.Optional.DownloadProtect, C:\Windows\Installer\{1AF40EF3-0E79-465D-806E-7C4C54CEF979}\cpmnpnlnpnjhgdpfonblbjphccmhjaolorx, Quarantined, [ec578f976238cc6adef3cad6ef1411ef], PUP.Optional.DownloadProtect, C:\Windows\Installer\{1AF40EF3-0E79-465D-806E-7C4C54CEF979}\xpmnpnlnpnjhgdpfonblbjphccmhjaoloml, Quarantined, [ec578f976238cc6adef3cad6ef1411ef], PUP.Optional.DownloadProtect.ChrPRST, C:\Windows\Installer\{2871ED58-8B9B-41E7-8478-9F371BDDE793}\{D65891E6-79FD-4AAE-95ED-7E49775AD4F8}.xpi, Quarantined, [d66d55d14b4f290df73a4c9a2bd8f30d], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  4. What is ContentProtector? The Malwarebytes research team has determined that ContentProtector is adware. These adware applications display advertisements not originating from the sites you are browsing. How do I know if my computer is affected by ContentProtector? You may see these warnings during install: this entry in your list of installed programs: and this icon in your startmenu: How did ContentProtector get on my computer? Adware applications use different methods for distributing themselves. This particular one was bundled with other software. How do I remove ContentProtector? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of ContentProtector? No, Malwarebytes' Anti-Malware removes ContentProtector completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the ContentProtector adware. It would have warned you before the adware could install itself, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: ("Artex Management S. A.") C:\Program Files\ContentProtector\ContentProtector.exe ("Artex Management S. A.") C:\Program Files\ContentProtector\ContentProtectorUpdate.exe R2 ContentProtector; C:\Program Files\ContentProtector\ContentProtector.exe [709376 2016-02-16] ("Artex Management S. A.") R2 ContentProtectorUpdate; C:\Program Files\ContentProtector\ContentProtectorUpdate.exe [257792 2016-02-16] ("Artex Management S. A.") R1 ContentProtectorDrv; C:\WINDOWS\system32\drivers\ContentProtectorDrv.sys [58200 2016-02-16] () C:\Program Files\ContentProtector C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ContentProtector C:\WINDOWS\system32\Drivers\ContentProtectorDrv.sys ContentProtector (HKLM\...\ContentProtector) (Version: 2.0 - Artex Management S. A.) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\ContentProtector Adds the file condefclean.exe"="2/16/2016 7:14 PM, 122112 bytes, A Adds the file condefupdatePS.dll"="2/16/2016 7:14 PM, 14080 bytes, A Adds the file ConProtSetup.exe"="7/19/2016 1:20 PM, 6322787 bytes, A Adds the file ContentProtector.exe"="2/16/2016 7:14 PM, 709376 bytes, A Adds the file ContentProtectorConrol.exe"="2/16/2016 7:14 PM, 278784 bytes, A Adds the file ContentProtectorUpdate.exe"="2/16/2016 7:14 PM, 257792 bytes, A Adds the file import_root_cert.exe"="2/16/2016 7:14 PM, 99584 bytes, A Adds the file libeay32.dll"="2/16/2016 7:14 PM, 2515200 bytes, A Adds the file nfregdrv.exe"="2/16/2016 7:14 PM, 144640 bytes, A Adds the file ssleay32.dll"="2/16/2016 7:14 PM, 483072 bytes, A Adds the folder C:\Program Files\ContentProtector\cert\SSL Adds the file cert.db"="7/19/2016 12:25 PM, 0 bytes, A Adds the file ContentProtector 2.cer"="7/19/2016 12:25 PM, 776 bytes, A Adds the folder C:\Program Files\ContentProtector\nss Adds the file certutil.exe"="2/16/2016 7:14 PM, 95488 bytes, A Adds the file mozcrt19.dll"="2/16/2016 7:14 PM, 718080 bytes, A Adds the file nspr4.dll"="2/16/2016 7:14 PM, 169216 bytes, A Adds the file nss3.dll"="2/16/2016 7:14 PM, 369920 bytes, A Adds the file plc4.dll"="2/16/2016 7:14 PM, 20224 bytes, A Adds the file plds4.dll"="2/16/2016 7:14 PM, 17152 bytes, A Adds the file smime3.dll"="2/16/2016 7:14 PM, 111872 bytes, A Adds the file softokn3.dll"="2/16/2016 7:14 PM, 378112 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ContentProtector Adds the file Settings.lnk"="7/19/2016 12:24 PM, 993 bytes, A In the existing folder C:\Windows\System32\drivers Adds the file ContentProtectorDrv.sys"="2/16/2016 7:13 PM, 58200 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3E0DB45B-9FCC-4064-B48C-080BD03A99A4}] "LocalService"="REG_SZ", "ContentProtector" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{C81BED3B-31BD-491F-813D-78EFC2638CE1}] "LocalService"="REG_SZ", "ContentProtectorUpdate" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35F4BB37-03C5-41DE-85AF-7C301390C7EC}] "(Default)"="REG_SZ", "UpdaterIface Class" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35F4BB37-03C5-41DE-85AF-7C301390C7EC}\LocalServer32] "(Default)"="REG_SZ", ""C:\Program Files\ContentProtector\ContentProtectorUpdate.exe"" "ServerExecutable"="REG_SZ", "C:\Program Files\ContentProtector\ContentProtectorUpdate.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35F4BB37-03C5-41DE-85AF-7C301390C7EC}\Programmable] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35F4BB37-03C5-41DE-85AF-7C301390C7EC}\TypeLib] "(Default)"="REG_SZ", "{D5397E85-8AF4-414B-90FC-9F4244CD46FA}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35F4BB37-03C5-41DE-85AF-7C301390C7EC}\Version] "(Default)"="REG_SZ", "1.0" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B7395C3-28B5-445E-AA7D-539B63514CAB}] "(Default)"="REG_SZ", "DefenderControl Class" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B7395C3-28B5-445E-AA7D-539B63514CAB}\LocalServer32] "(Default)"="REG_SZ", ""C:\Program Files\ContentProtector\ContentProtector.exe"" "ServerExecutable"="REG_SZ", "C:\Program Files\ContentProtector\ContentProtector.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B7395C3-28B5-445E-AA7D-539B63514CAB}\Programmable] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B7395C3-28B5-445E-AA7D-539B63514CAB}\TypeLib] "(Default)"="REG_SZ", "{CCA2A357-CCB4-41C9-B6F5-4F202B8CDC82}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B7395C3-28B5-445E-AA7D-539B63514CAB}\Version] "(Default)"="REG_SZ", "1.0" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B28F9114-243E-4046-B173-11825352D18A}] "(Default)"="REG_SZ", "IDefenderControl" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B28F9114-243E-4046-B173-11825352D18A}\ProxyStubClsid32] "(Default)"="REG_SZ", "{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B28F9114-243E-4046-B173-11825352D18A}\TypeLib] "(Default)"="REG_SZ", "{CCA2A357-CCB4-41C9-B6F5-4F202B8CDC82}" "Version"="REG_SZ", "1.0" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B910D9A1-9F21-484A-8650-82250DABF38E}] "(Default)"="REG_SZ", "IUpdaterIface" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B910D9A1-9F21-484A-8650-82250DABF38E}\ProxyStubClsid32] "(Default)"="REG_SZ", "{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B910D9A1-9F21-484A-8650-82250DABF38E}\TypeLib] "(Default)"="REG_SZ", "{D5397E85-8AF4-414B-90FC-9F4244CD46FA}" "Version"="REG_SZ", "1.0" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{CCA2A357-CCB4-41C9-B6F5-4F202B8CDC82}\1.0] "(Default)"="REG_SZ", "ContentDefenderLib" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{CCA2A357-CCB4-41C9-B6F5-4F202B8CDC82}\1.0\0\win64] "(Default)"="REG_SZ", "C:\Program Files\ContentProtector\ContentProtector.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{CCA2A357-CCB4-41C9-B6F5-4F202B8CDC82}\1.0\FLAGS] "(Default)"="REG_SZ", "0" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{CCA2A357-CCB4-41C9-B6F5-4F202B8CDC82}\1.0\HELPDIR] "(Default)"="REG_SZ", "C:\Program Files\ContentProtector" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D5397E85-8AF4-414B-90FC-9F4244CD46FA}\1.0] "(Default)"="REG_SZ", "condefupdateLib" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D5397E85-8AF4-414B-90FC-9F4244CD46FA}\1.0\0\win64] "(Default)"="REG_SZ", "C:\Program Files\ContentProtector\ContentProtectorUpdate.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D5397E85-8AF4-414B-90FC-9F4244CD46FA}\1.0\FLAGS] "(Default)"="REG_SZ", "0" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D5397E85-8AF4-414B-90FC-9F4244CD46FA}\1.0\HELPDIR] "(Default)"="REG_SZ", "C:\Program Files\ContentProtector" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B28F9114-243E-4046-B173-11825352D18A}] "(Default)"="REG_SZ", "IDefenderControl" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B28F9114-243E-4046-B173-11825352D18A}\ProxyStubClsid32] "(Default)"="REG_SZ", "{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B28F9114-243E-4046-B173-11825352D18A}\TypeLib] "(Default)"="REG_SZ", "{CCA2A357-CCB4-41C9-B6F5-4F202B8CDC82}" "Version"="REG_SZ", "1.0" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B910D9A1-9F21-484A-8650-82250DABF38E}] "(Default)"="REG_SZ", "IUpdaterIface" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B910D9A1-9F21-484A-8650-82250DABF38E}\ProxyStubClsid32] "(Default)"="REG_SZ", "{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B910D9A1-9F21-484A-8650-82250DABF38E}\TypeLib] "(Default)"="REG_SZ", "{D5397E85-8AF4-414B-90FC-9F4244CD46FA}" "Version"="REG_SZ", "1.0" [HKEY_LOCAL_MACHINE\SOFTWARE\ContentProtector] "campaignid"="REG_SZ", "0" "ff"="REG_SZ", "yes" "installed"="REG_SZ", "1" "siteid"="REG_SZ", "0" "sourceid"="REG_SZ", "1" "userid"="REG_SZ", "B155C458-9D41-4923-87C3-9A9033D8D6C2" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ContentProtector] "DisplayIcon"="REG_SZ", "C:\Program Files\ContentProtector\ConProtSetup.exe" "DisplayName"="REG_SZ", "ContentProtector" "DisplayVersion"="REG_SZ", "2.0" "EstimatedSize"="REG_DWORD", 6000 "InstallDate"="REG_SZ", "20160719" "Publisher"="REG_SZ", "Artex Management S. A." "UninstallString"="REG_SZ", "C:\Program Files\ContentProtector\ConProtSetup.exe uninst=1" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ContentProtector] "DependOnService"="REG_MULTI_SZ, "RPCSS " "DisplayName"="REG_SZ", "ContentProtector" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, ""C:\Program Files\ContentProtector\ContentProtector.exe"" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ContentProtectorDrv] "DisplayName"="REG_SZ", "ContentProtectorDrv" "ErrorControl"="REG_DWORD", 1 "Group"="REG_SZ", "PNP_TDI" "ImagePath"="REG_EXPAND_SZ, "\??\C:\WINDOWS\system32\drivers\ContentProtectorDrv.sys" "Start"="REG_DWORD", 1 "Tag"="REG_DWORD", 10 "Type"="REG_DWORD", 1 "WOW64"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ContentProtectorUpdate] "DependOnService"="REG_MULTI_SZ, "RPCSS " "DisplayName"="REG_SZ", "ContentProtectorUpdate" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, ""C:\Program Files\ContentProtector\ContentProtectorUpdate.exe"" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 7/19/2016 Scan Time: 1:34 PM Logfile: mbamContentProtector.txt Administrator: Yes Version: 2.2.1.1039 Malware Database: v2016.07.19.04 Rootkit Database: v2016.05.27.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Enabled OS: Windows 10 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 307227 Time Elapsed: 1 hr, 30 min, 59 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 2 PUP.Optional.ContentProtector, C:\Program Files\ContentProtector\ContentProtector.exe, 5636, Delete-on-Reboot, [ab3549dcf2a8d85e5c0014df27dcdc24] PUP.Optional.ContentProtector, C:\Program Files\ContentProtector\ContentProtectorUpdate.exe, 2608, Delete-on-Reboot, [4a96c95c35650f2794ca8e65768d53ad] Modules: 0 (No malicious items detected) Registry Keys: 17 PUP.Optional.ContentDefender, HKLM\SOFTWARE\CLASSES\TYPELIB\{CCA2A357-CCB4-41C9-B6F5-4F202B8CDC82}, Quarantined, [c020f82d1189290d3a984b4ccb37619f], PUP.Optional.ContentDefender, HKLM\SOFTWARE\CLASSES\INTERFACE\{B28F9114-243E-4046-B173-11825352D18A}, Quarantined, [c020f82d1189290d3a984b4ccb37619f], PUP.Optional.ContentDefender, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{B28F9114-243E-4046-B173-11825352D18A}, Quarantined, [c020f82d1189290d3a984b4ccb37619f], PUP.Optional.ContentDefender, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{B28F9114-243E-4046-B173-11825352D18A}, Quarantined, [c020f82d1189290d3a984b4ccb37619f], PUP.Optional.ContentDefender, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{CCA2A357-CCB4-41C9-B6F5-4F202B8CDC82}, Quarantined, [c020f82d1189290d3a984b4ccb37619f], PUP.Optional.ContentDefender, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{CCA2A357-CCB4-41C9-B6F5-4F202B8CDC82}, Quarantined, [c020f82d1189290d3a984b4ccb37619f], PUP.Optional.ContentDefender, HKLM\SOFTWARE\CLASSES\TYPELIB\{D5397E85-8AF4-414B-90FC-9F4244CD46FA}, Quarantined, [19c73ee73466c670d9fa62352cd65da3], PUP.Optional.ContentDefender, HKLM\SOFTWARE\CLASSES\INTERFACE\{B910D9A1-9F21-484A-8650-82250DABF38E}, Quarantined, [19c73ee73466c670d9fa62352cd65da3], PUP.Optional.ContentDefender, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{B910D9A1-9F21-484A-8650-82250DABF38E}, Quarantined, [19c73ee73466c670d9fa62352cd65da3], PUP.Optional.ContentDefender, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{B910D9A1-9F21-484A-8650-82250DABF38E}, Quarantined, [19c73ee73466c670d9fa62352cd65da3], PUP.Optional.ContentDefender, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{D5397E85-8AF4-414B-90FC-9F4244CD46FA}, Quarantined, [19c73ee73466c670d9fa62352cd65da3], PUP.Optional.ContentDefender, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{D5397E85-8AF4-414B-90FC-9F4244CD46FA}, Quarantined, [19c73ee73466c670d9fa62352cd65da3], PUP.Optional.ContentProtector, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ContentProtector, Quarantined, [35ab4bda3e5ca78ffb70d0f502ffd828], PUP.Optional.ContentProtector, HKLM\SOFTWARE\CONTENTPROTECTOR, Quarantined, [0bd58d98b2e873c3669d8676a65d0df3], PUP.Optional.ContentProtector, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\ContentProtector, Quarantined, [ab3549dcf2a8d85e5c0014df27dcdc24], PUP.Optional.ContentProtector, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\ContentProtectorDrv, Quarantined, [fee28d98b8e2fe38f6678d66b54e916f], PUP.Optional.ContentProtector, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\ContentProtectorUpdate, Quarantined, [4a96c95c35650f2794ca8e65768d53ad], Registry Values: 1 PUP.Optional.ContentProtector, HKLM\SOFTWARE\CONTENTPROTECTOR|campaignid, 0, Quarantined, [0bd58d98b2e873c3669d8676a65d0df3] Registry Data: 0 (No malicious items detected) Folders: 5 PUP.Optional.ContentProtector, C:\Program Files\ContentProtector, Delete-on-Reboot, [9749e63f702a41f59e85b71047bbd32d], PUP.Optional.ContentProtector, C:\Program Files\ContentProtector\cert, Delete-on-Reboot, [9749e63f702a41f59e85b71047bbd32d], PUP.Optional.ContentProtector, C:\Program Files\ContentProtector\cert\SSL, Delete-on-Reboot, [9749e63f702a41f59e85b71047bbd32d], PUP.Optional.ContentProtector, C:\Program Files\ContentProtector\nss, Quarantined, [9749e63f702a41f59e85b71047bbd32d], PUP.Optional.ContentProtector, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ContentProtector, Quarantined, [5888c65f6d2d3bfb49db4681748ea35d], Files: 23 PUP.Optional.ContentProtector, C:\WINDOWS\SYSTEM32\drivers\ContentProtectorDrv.sys, Delete-on-Reboot, [8269e5b1101add0709780fd66e9df59d], PUP.Optional.ContentProtector, C:\Users\{username}\Desktop\ConProtSe.exe, Quarantined, [79674adbcbcf2f07a8c30eb76b9606fa], PUP.Optional.ContentProtector, C:\Program Files\ContentProtector\ConProtSetup.exe, Quarantined, [35ab4bda3e5ca78ffb70d0f502ffd828], PUP.Optional.ContentProtector, C:\Program Files\ContentProtector\ContentProtector.exe, Delete-on-Reboot, [ab3549dcf2a8d85e5c0014df27dcdc24], PUP.Optional.ContentProtector, C:\Program Files\ContentProtector\ContentProtectorUpdate.exe, Delete-on-Reboot, [4a96c95c35650f2794ca8e65768d53ad], PUP.Optional.ContentProtector, C:\Program Files\ContentProtector\condefclean.exe, Quarantined, [9749e63f702a41f59e85b71047bbd32d], PUP.Optional.ContentProtector, C:\Program Files\ContentProtector\condefupdatePS.dll, Quarantined, [9749e63f702a41f59e85b71047bbd32d], PUP.Optional.ContentProtector, C:\Program Files\ContentProtector\ContentProtectorConrol.exe, Quarantined, [9749e63f702a41f59e85b71047bbd32d], PUP.Optional.ContentProtector, C:\Program Files\ContentProtector\import_root_cert.exe, Quarantined, [9749e63f702a41f59e85b71047bbd32d], PUP.Optional.ContentProtector, C:\Program Files\ContentProtector\libeay32.dll, Delete-on-Reboot, [9749e63f702a41f59e85b71047bbd32d], PUP.Optional.ContentProtector, C:\Program Files\ContentProtector\nfregdrv.exe, Quarantined, [9749e63f702a41f59e85b71047bbd32d], PUP.Optional.ContentProtector, C:\Program Files\ContentProtector\ssleay32.dll, Delete-on-Reboot, [9749e63f702a41f59e85b71047bbd32d], PUP.Optional.ContentProtector, C:\Program Files\ContentProtector\cert\SSL\cert.db, Delete-on-Reboot, [9749e63f702a41f59e85b71047bbd32d], PUP.Optional.ContentProtector, C:\Program Files\ContentProtector\cert\SSL\ContentProtector 2.cer, Quarantined, [9749e63f702a41f59e85b71047bbd32d], PUP.Optional.ContentProtector, C:\Program Files\ContentProtector\nss\certutil.exe, Quarantined, [9749e63f702a41f59e85b71047bbd32d], PUP.Optional.ContentProtector, C:\Program Files\ContentProtector\nss\mozcrt19.dll, Quarantined, [9749e63f702a41f59e85b71047bbd32d], PUP.Optional.ContentProtector, C:\Program Files\ContentProtector\nss\nspr4.dll, Quarantined, [9749e63f702a41f59e85b71047bbd32d], PUP.Optional.ContentProtector, C:\Program Files\ContentProtector\nss\nss3.dll, Quarantined, [9749e63f702a41f59e85b71047bbd32d], PUP.Optional.ContentProtector, C:\Program Files\ContentProtector\nss\plc4.dll, Quarantined, [9749e63f702a41f59e85b71047bbd32d], PUP.Optional.ContentProtector, C:\Program Files\ContentProtector\nss\plds4.dll, Quarantined, [9749e63f702a41f59e85b71047bbd32d], PUP.Optional.ContentProtector, C:\Program Files\ContentProtector\nss\smime3.dll, Quarantined, [9749e63f702a41f59e85b71047bbd32d], PUP.Optional.ContentProtector, C:\Program Files\ContentProtector\nss\softokn3.dll, Quarantined, [9749e63f702a41f59e85b71047bbd32d], PUP.Optional.ContentProtector, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ContentProtector\Settings.lnk, Quarantined, [5888c65f6d2d3bfb49db4681748ea35d], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  5. What is Window Range Manager? The Malwarebytes research team has determined that Window Range Manager is adware. These adware applications display advertisements not originating from the sites you are browsing. How do I know if my computer is affected by Window Range Manager? You may see this entry in your list of installed programs: How did Window Range Manager get on my computer? Adware applications use different methods for distributing themselves. This particular one was bundled with other software. How do I remove Window Range Manager? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Window Range Manager? No, Malwarebytes' Anti-Malware removes Window Range Manager completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Window Range Manager adware. It would have warned you before the adware could install itself, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: (Plamsoft Inc.) C:\Program Files (x86)\winrange\WinRangeSync.exe (Plamsoft Inc.) C:\Program Files (x86)\winrange\winrangetask.exe R2 WinRangeSvc; C:\Program Files (x86)\winrange\WinRangeSync.exe [134656 2016-07-14] (Plamsoft Inc.) [File not signed] C:\Program Files (x86)\winrange Window Range Manager (HKLM-x32\...\Window Range Manager) (Version: 1.62 - Plamsoft Inc.) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\winrange Adds the file cef.pak"="5/13/2016 10:00 AM, 2322682 bytes, A Adds the file cef_100_percent.pak"="5/13/2016 10:00 AM, 144747 bytes, A Adds the file cef_200_percent.pak"="5/13/2016 10:00 AM, 233072 bytes, A Adds the file cef_extensions.pak"="5/13/2016 10:00 AM, 4282175 bytes, A Adds the file d3dcompiler_43.dll"="5/13/2016 9:59 AM, 2106216 bytes, A Adds the file d3dcompiler_47.dll"="5/13/2016 9:59 AM, 3709120 bytes, A Adds the file devtools_resources.pak"="5/13/2016 10:00 AM, 4665083 bytes, A Adds the file icudtl.dat"="5/13/2016 10:00 AM, 10207936 bytes, A Adds the file libcef.dll"="5/13/2016 9:59 AM, 48936448 bytes, A Adds the file libcurl.dll"="10/27/2014 6:11 PM, 1358336 bytes, A Adds the file libEGL.dll"="5/13/2016 9:59 AM, 75264 bytes, A Adds the file libGLESv2.dll"="5/13/2016 9:59 AM, 1665024 bytes, A Adds the file log4cplusU.dll"="1/14/2015 11:55 AM, 386560 bytes, A Adds the file natives_blob.bin"="5/13/2016 9:59 AM, 412130 bytes, A Adds the file snapshot_blob.bin"="5/13/2016 9:59 AM, 486072 bytes, A Adds the file Uninstall.exe"="7/18/2016 8:45 AM, 141790 bytes, A Adds the file widevinecdmadapter.dll"="5/13/2016 9:59 AM, 182784 bytes, A Adds the file WinRange.exe"="7/14/2016 6:00 PM, 631808 bytes, A Adds the file WinRangeSync.exe"="7/14/2016 5:52 PM, 134656 bytes, A Adds the file winrangetask.exe"="7/14/2016 5:53 PM, 1822720 bytes, A Adds the file wow_helper.exe"="5/13/2016 9:59 AM, 67072 bytes, A Adds the folder C:\Program Files (x86)\winrange\locales Adds the file am.pak"="5/13/2016 12:39 AM, 67979 bytes, A Adds the file ar.pak"="5/13/2016 12:39 AM, 67998 bytes, A Adds the file bg.pak"="5/13/2016 12:39 AM, 75625 bytes, A Adds the file bn.pak"="5/13/2016 12:39 AM, 100062 bytes, A Adds the file ca.pak"="5/13/2016 12:39 AM, 49278 bytes, A Adds the file cs.pak"="5/13/2016 12:39 AM, 49160 bytes, A Adds the file da.pak"="5/13/2016 12:39 AM, 44996 bytes, A Adds the file de.pak"="5/13/2016 12:39 AM, 48672 bytes, A Adds the file el.pak"="5/13/2016 12:39 AM, 84473 bytes, A Adds the file en-GB.pak"="5/13/2016 12:39 AM, 40510 bytes, A Adds the file en-US.pak"="5/13/2016 12:39 AM, 40614 bytes, A Adds the file es.pak"="5/13/2016 12:39 AM, 49520 bytes, A Adds the file es-419.pak"="5/13/2016 12:39 AM, 47850 bytes, A Adds the file et.pak"="5/13/2016 12:39 AM, 42620 bytes, A Adds the file fa.pak"="5/13/2016 12:39 AM, 66307 bytes, A Adds the file fi.pak"="5/13/2016 12:39 AM, 44516 bytes, A Adds the file fil.pak"="5/13/2016 12:39 AM, 49907 bytes, A Adds the file fr.pak"="5/13/2016 12:39 AM, 51933 bytes, A Adds the file gu.pak"="5/13/2016 12:39 AM, 94190 bytes, A Adds the file he.pak"="5/13/2016 12:39 AM, 56107 bytes, A Adds the file hi.pak"="5/13/2016 12:39 AM, 96483 bytes, A Adds the file hr.pak"="5/13/2016 12:39 AM, 46251 bytes, A Adds the file hu.pak"="5/13/2016 12:39 AM, 49509 bytes, A Adds the file id.pak"="5/13/2016 12:39 AM, 43040 bytes, A Adds the file it.pak"="5/13/2016 12:39 AM, 47456 bytes, A Adds the file ja.pak"="5/13/2016 12:39 AM, 57827 bytes, A Adds the file kn.pak"="5/13/2016 12:39 AM, 108050 bytes, A Adds the file ko.pak"="5/13/2016 12:39 AM, 48903 bytes, A Adds the file lt.pak"="5/13/2016 12:39 AM, 49505 bytes, A Adds the file lv.pak"="5/13/2016 12:39 AM, 50527 bytes, A Adds the file ml.pak"="5/13/2016 12:39 AM, 117720 bytes, A Adds the file mr.pak"="5/13/2016 12:39 AM, 96994 bytes, A Adds the file ms.pak"="5/13/2016 12:39 AM, 43817 bytes, A Adds the file nb.pak"="5/13/2016 12:39 AM, 44056 bytes, A Adds the file nl.pak"="5/13/2016 12:39 AM, 46022 bytes, A Adds the file pl.pak"="5/13/2016 12:39 AM, 48480 bytes, A Adds the file pt-BR.pak"="5/13/2016 12:39 AM, 47944 bytes, A Adds the file pt-PT.pak"="5/13/2016 12:39 AM, 47585 bytes, A Adds the file ro.pak"="5/13/2016 12:39 AM, 49212 bytes, A Adds the file ru.pak"="5/13/2016 12:39 AM, 74285 bytes, A Adds the file sk.pak"="5/13/2016 12:39 AM, 49566 bytes, A Adds the file sl.pak"="5/13/2016 12:39 AM, 46447 bytes, A Adds the file sr.pak"="5/13/2016 12:39 AM, 72828 bytes, A Adds the file sv.pak"="5/13/2016 12:39 AM, 43700 bytes, A Adds the file sw.pak"="5/13/2016 12:39 AM, 43959 bytes, A Adds the file ta.pak"="5/13/2016 12:39 AM, 111763 bytes, A Adds the file te.pak"="5/13/2016 12:39 AM, 102971 bytes, A Adds the file th.pak"="5/13/2016 12:39 AM, 91898 bytes, A Adds the file tr.pak"="5/13/2016 12:39 AM, 46294 bytes, A Adds the file uk.pak"="5/13/2016 12:39 AM, 77049 bytes, A Adds the file vi.pak"="5/13/2016 12:39 AM, 53252 bytes, A Adds the file zh-CN.pak"="5/13/2016 12:39 AM, 39499 bytes, A Adds the file zh-TW.pak"="5/13/2016 12:39 AM, 40229 bytes, A Adds the folder C:\Program Files (x86)\winrange\plugins Adds the file pepflashplayer.dll"="6/30/2016 3:25 AM, 31555776 bytes, A Adds the folder C:\Program Files (x86)\winrange\Update Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\okwinrange] "ID"="REG_SZ", "C981F2FF-0679-4A1D-9493-30939A937C67" "InstallAMID"="REG_SZ", "" "InstallSID"="REG_SZ", "" "Version"="REG_SZ", "162" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Window Range Manager] "DisplayName"="REG_SZ", "Window Range Manager" "DisplayVersion"="REG_SZ", "1.62" "EstimatedSize"="REG_DWORD", 81456 "InstallDate"="REG_SZ", "20150718" "Publisher"="REG_SZ", "Plamsoft Inc." "UninstallString"="REG_SZ", ""C:\Program Files (x86)\winrange\uninstall.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\okwinrange] "ID"="REG_SZ", "C981F2FF-0679-4A1D-9493-30939A937C67" "InstallAMID"="REG_SZ", "0" "InstallDate"="REG_SZ", "18.07.2016 8:45" "InstallSID"="REG_SZ", "" "restart1"="REG_SZ", "1" "Success"="REG_SZ", "1" "Version"="REG_SZ", "162" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinRangeSvc] "DisplayName"="REG_SZ", "Window Range Manager" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, "C:\Program Files (x86)\winrange\WinRangeSync.exe" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 "WOW64"="REG_DWORD", 1 [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted] "C:\Users\{username}\Desktop\setup.exe"="REG_DWORD", 1 [HKEY_CURRENT_USER\Software\winmnt] "Success"="REG_SZ", "1" Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 7/18/2016 Scan Time: 8:53 AM Logfile: mbamWindowsRangeManager.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.07.18.04 Rootkit Database: v2016.05.27.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 315147 Time Elapsed: 8 min, 39 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 1 PUP.Optional.WindowRangeManager, C:\Program Files (x86)\winrange\WinRangeSync.exe, 4040, Delete-on-Reboot, [33499095f3a7aa8c818bd9da3cc8c040] Modules: 1 PUP.Optional.WinRange, C:\Program Files (x86)\winrange\libcurl.dll, Delete-on-Reboot, [413bc75eb0ea49ed85313c77d52f9868], Registry Keys: 2 PUP.Optional.WindowRangeManager, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WinRangeSvc, Quarantined, [33499095f3a7aa8c818bd9da3cc8c040], PUP.Optional.WinRange, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Window Range Manager, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], Registry Values: 1 PUP.Optional.WinRange, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WinRangeSvc|ImagePath, C:\Program Files (x86)\winrange\WinRangeSync.exe, Quarantined, [18645cc93d5d91a5ab0d5360d72d966a] Registry Data: 0 (No malicious items detected) Folders: 4 PUP.Optional.WinRange, C:\Program Files (x86)\winrange, Delete-on-Reboot, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\plugins, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\Update, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], Files: 76 PUP.Optional.WindowRangeManager, C:\Program Files (x86)\winrange\WinRangeSync.exe, Delete-on-Reboot, [33499095f3a7aa8c818bd9da3cc8c040], PUP.Optional.WindowRangeManager, C:\Users\{username}\Desktop\setup.exe, Quarantined, [e39949dcb4e6b87ee721bcf77b89ef11], PUP.Optional.WindowRangeManager, C:\Program Files (x86)\winrange\WinRange.exe, Quarantined, [2a5253d29efcf5418e7ed0e3f014b54b], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\libcef.dll, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\libGLESv2.dll, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\cef.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\cef_100_percent.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\cef_200_percent.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\cef_extensions.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\d3dcompiler_43.dll, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\d3dcompiler_47.dll, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\devtools_resources.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\icudtl.dat, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\libcurl.dll, Delete-on-Reboot, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\libEGL.dll, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\log4cplusU.dll, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\natives_blob.bin, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\snapshot_blob.bin, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\Uninstall.exe, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\widevinecdmadapter.dll, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\winrangetask.exe, Delete-on-Reboot, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\wow_helper.exe, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\hi.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\am.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\ar.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\bg.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\bn.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\ca.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\cs.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\da.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\de.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\el.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\en-GB.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\en-US.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\es-419.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\es.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\et.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\fa.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\fi.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\fil.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\fr.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\gu.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\he.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\hr.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\hu.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\id.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\it.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\ja.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\kn.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\ko.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\lt.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\lv.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\ml.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\mr.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\ms.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\nb.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\nl.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\pl.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\pt-BR.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\pt-PT.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\ro.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\ru.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\sk.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\sl.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\sr.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\sv.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\sw.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\ta.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\te.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\th.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\tr.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\uk.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\vi.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\zh-CN.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\locales\zh-TW.pak, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], PUP.Optional.WinRange, C:\Program Files (x86)\winrange\plugins\pepflashplayer.dll, Quarantined, [413bc75eb0ea49ed85313c77d52f9868], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  6. What is Zingload? The Malwarebytes research team has determined that Zingload is adware. These adware applications display advertisements not originating from the sites you are browsing. How do I know if my computer is affected by Zingload? You may see this entry in your list of installed programs: and notice that the shortcuts for your browsers on the desktop, in the taskbar, and in the startmenu have been altered: This will be the page that opens when you start those browsers: and these setting in Chrome (as an example): How did Zingload get on my computer? Adware applications use different methods for distributing themselves. This particular one was installed by a trojan. How do I remove Zingload? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Zingload? You should have a look at Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Zingload adware. It would have warned you before the adware could install itself, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: GroupPolicy: Restriction - Chrome <======= ATTENTION CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe hxxp://www.zingload.com/?type=ll&uid={uid} FF Homepage: hxxp://www.zingload.com/?type=hp&uid={uid} FF SearchPlugin: C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\nch5mqsa.default\searchplugins\zingload.xml [2016-07-15] StartMenuInternet: FIREFOX.EXE - C:\Program Files (x86)\Mozilla Firefox\firefox.exe hxxp://www.zingload.com/?type=ll&uid={uid} CHR HomePage: Default -> hxxp://www.zingload.com/?type=hp&uid={uid} CHR StartupUrls: Default -> "hxxp://www.zingload.com/?type=hp&uid={uid}" StartMenuInternet: Google Chrome - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe hxxp://www.zingload.com/?type=ll&uid={uid} C:\Users\{username}\AppData\Local\Temp\1468571993VkJPWtmp.exe FastCompress-Zip_1.0.2.3_Release (HKLM-x32\...\FastCompress-Zip) (Version: - ) ShortcutWithArgument: C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.zingload.com/?type=ll&uid={uid} ShortcutWithArgument: C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.zingload.com/?type=ll&uid={uid} ShortcutWithArgument: C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.zingload.com/?type=ll&uid={uid} ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.zingload.com/?type=ll&uid={uid} ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.zingload.com/?type=ll&uid={uid} ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.zingload.com/?type=ll&uid={uid} ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.zingload.com/?type=ll&uid={uid} ShortcutWithArgument: C:\Users\Public\Desktop\Opera.lnk -> C:\Program Files (x86)\Opera\launcher.exe (Opera Software) -> hxxp://www.zingload.com/?type=ll&uid={uid} Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- In the existing folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs Alters the file Google Chrome.lnk 6/28/2016 9:16 AM, 2195 bytes, A ==> 7/15/2016 10:40 AM, 2343 bytes, A Alters the file Mozilla Firefox.lnk 2/8/2016 1:27 PM, 1159 bytes, A ==> 7/15/2016 10:40 AM, 1307 bytes, A In the existing folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default Alters the file Secure Preferences 7/8/2016 8:40 AM, 37517 bytes, A ==> 7/15/2016 10:40 AM, 38068 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch Alters the file Google Chrome.lnk 2/10/2016 11:39 AM, 2279 bytes, A ==> 7/15/2016 10:40 AM, 2427 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar Alters the file Google Chrome.lnk 3/3/2016 10:14 AM, 2393 bytes, A ==> 7/15/2016 10:40 AM, 2541 bytes, A Alters the file Mozilla Firefox.lnk 6/20/2016 11:24 AM, 1159 bytes, A ==> 7/15/2016 10:40 AM, 1331 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default Alters the file prefs.js 7/15/2016 10:33 AM, 10586 bytes, A ==> 7/15/2016 10:40 AM, 10703 bytes, A Adds the file search-metadata.json"="7/15/2016 10:40 AM, 89 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\searchplugins Adds the file zingload.xml"="7/15/2016 10:40 AM, 534 bytes, A In the existing folder C:\Users\Public\Desktop Alters the file Google Chrome.lnk 6/28/2016 9:16 AM, 2183 bytes, A ==> 7/15/2016 10:40 AM, 2331 bytes, A Alters the file Mozilla Firefox.lnk 2/8/2016 1:27 PM, 1147 bytes, A ==> 7/15/2016 10:40 AM, 1295 bytes, A Alters the file Opera.lnk 2/8/2016 1:39 PM, 1135 bytes, A ==> 7/15/2016 10:40 AM, 1259 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command] "(Default)" = REG_SZ, ""C:\Program Files (x86)\Mozilla Firefox\firefox.exe" http://www.zingload.com/?type=ll&uid={uid}" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Google Chrome\shell\open\command] "(Default)" = REG_SZ, ""C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" http://www.zingload.com/?type=ll&uid={uid}" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command] "(Default)" = REG_SZ, "C:\Program Files\Internet Explorer\iexplore.exe http://www.zingload.com/?type=ll&uid={uid}" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\OperaStable\shell\open\command] "(Default)" = REG_SZ, ""C:\Program Files (x86)\Opera\Launcher.exe" http://www.zingload.com/?type=ll&uid={uid}" [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome] "DefaultSearchProviderEnabled"="REG_SZ", "1" "DefaultSearchProviderKeyword"="REG_SZ", "zingload" "DefaultSearchProviderName"="REG_SZ", "Google" "DefaultSearchProviderSearchURL"="REG_SZ", "http://search.zingload.com/web?type=ds&x=fqxavzjbkb-292c0d15&uid={uid}&q={searchTerms}" Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 7/15/2016 Scan Time: 1:20 PM Logfile: mbamZingload.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.07.15.04 Rootkit Database: v2016.05.27.01 License: Premium Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 315109 Time Elapsed: 13 min, 39 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 0 (No malicious items detected) Registry Data: 6 PUP.Optional.Zingload, HKLM\SOFTWARE\CLIENTS\STARTMENUINTERNET\FIREFOX.EXE\SHELL\OPEN\COMMAND, "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" http://www.zingload.com/?type=ll&uid={uid}, Good: (firefox.exe), Bad: ("C:\Program Files (x86)\Mozilla Firefox\firefox.exe" http://www.zingload.com/?type=ll&uid={uid}),Replaced,[a1af37ed88123cfae19a773b00049868] PUP.Optional.Zingload, HKLM\SOFTWARE\CLIENTS\STARTMENUINTERNET\GOOGLE CHROME\SHELL\OPEN\COMMAND, "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" http://www.zingload.com/?type=ll&uid={uid}, Good: (Chrome.exe), Bad: ("C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" http://www.zingload.com/?type=ll&uid={uid}),Replaced,[5df351d3aeec082e602050629c68df21] PUP.Optional.Zingload, HKLM\SOFTWARE\CLIENTS\STARTMENUINTERNET\IEXPLORE.EXE\SHELL\OPEN\COMMAND, C:\Program Files\Internet Explorer\iexplore.exe http://www.zingload.com/?type=ll&uid={uid}, Good: (iexplore.exe), Bad: (C:\Program Files\Internet Explorer\iexplore.exe http://www.zingload.com/?type=ll&uid={uid}),Replaced,[d67adc488b0f55e1fd7f318110f47987] PUP.Optional.Zingload, HKLM\SOFTWARE\WOW6432NODE\CLIENTS\STARTMENUINTERNET\FIREFOX.EXE\SHELL\OPEN\COMMAND, "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" http://www.zingload.com/?type=ll&uid={uid}, Good: (firefox.exe), Bad: ("C:\Program Files (x86)\Mozilla Firefox\firefox.exe" http://www.zingload.com/?type=ll&uid={uid}),Replaced,[0c44061e9a0079bd1665fab80ff5d927] PUP.Optional.Zingload, HKLM\SOFTWARE\WOW6432NODE\CLIENTS\STARTMENUINTERNET\GOOGLE CHROME\SHELL\OPEN\COMMAND, "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" http://www.zingload.com/?type=ll&uid={uid}, Good: (Chrome.exe), Bad: ("C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" http://www.zingload.com/?type=ll&uid={uid}),Replaced,[f858b86c82180f276e12585ad52f18e8] PUP.Optional.Zingload, HKLM\SOFTWARE\WOW6432NODE\CLIENTS\STARTMENUINTERNET\IEXPLORE.EXE\SHELL\OPEN\COMMAND, C:\Program Files\Internet Explorer\iexplore.exe http://www.zingload.com/?type=ll&uid={uid}, Good: (iexplore.exe), Bad: (C:\Program Files\Internet Explorer\iexplore.exe http://www.zingload.com/?type=ll&uid={uid}),Replaced,[4a06c163bedc0e287606436fcf35fd03] Folders: 0 (No malicious items detected) Files: 1 Trojan.Downloader, C:\Users\{username}\Desktop\InstallDingjDlr.exe, Quarantined, [2a26ad77207a1422ea33717b3ac729d7], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  7. What is Dotdo Applica? The Malwarebytes research team has determined that Dotdo Applica is adware. These adware applications display advertisements not originating from the sites you are browsing. How do I know if my computer is affected by Dotdo Applica? You may see these entries in your list of installed programs: and this Scheduled Task: How did Dotdo Applica get on my computer? Adware applications use different methods for distributing themselves. This particular one was installed by a trojan. How do I remove Dotdo Applica? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Dotdo Applica? No, Malwarebytes' Anti-Malware removes Dotdo Applica completely. Please note that this trojan deletes Scheduled Tasks that belong to legitimate programs and installs an outdated version of Adobe Flash, so you may have to re-install some programs to repair the damage. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Dotdo Applica adware. It would have warned you before the adware could install itself, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: () C:\Program Files (x86)\applica\applica.exe HKLM\...\Run: [applica] => C:\Program Files (x86)\applica\applica.exe [4608 2016-04-18] () HKLM-x32\...\Run: [applica] => C:\Program Files (x86)\applica\applica.exe [4608 2016-04-18] () HKCU\...\Run: [applica] => C:\Program Files (x86)\applica\applica.exe [4608 2016-04-18] () (Adobe Systems Incorporated) C:\Users\{username}\AppData\Local\install_flash_player_21_active_x.exe (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl C:\Windows\System32\Tasks\Adobe Flash Player Updater C:\Windows\Tasks\Adobe Flash Player Updater.job C:\Windows\SysWOW64\Macromed C:\Windows\system32\Macromed C:\Program Files (x86)\applica C:\Users\{username}\AppData\Local\tr5b.txt C:\Users\{username}\AppData\Local\setupone.exe C:\Users\{username}\AppData\Local\aatxtname.txt () C:\Users\{username}\AppData\Local\aatxtname.txt () C:\Users\{username}\AppData\Local\ddnow.exe () C:\Users\{username}\AppData\Local\ddnow4.exe (Adobe Systems Incorporated) C:\Users\{username}\AppData\Local\install_flash_player_21_active_x.exe () C:\Users\{username}\AppData\Local\ok223.txt () C:\Users\{username}\AppData\Local\setupone.exe () C:\Users\{username}\AppData\Local\tinstall.exe () C:\Users\{username}\AppData\Local\tinstall4.exe () C:\Users\{username}\AppData\Local\tr5b.txt Adobe Flash Player 21 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 21.0.0.213 - Adobe Systems Incorporated) Applica (HKLM\...\Applica) (Version: - Dotdo) Task: {5D3257BD-C310-47F4-9DB9-413E52A0AD2E} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2016-07-14] (Adobe Systems Incorporated) Task: {625E158E-2330-4D23-8DEB-D2BCD4445EE6} - \User_Feed_Synchronization-{EFFEA14C-5A8A-4071-873B-8F6712B52DEB} -> No File <==== ATTENTION Task: {763B925E-B18B-41DF-88A5-70AD79410AD1} - \GoogleUpdateTaskMachineUA -> No File <==== ATTENTION Task: {7E7C193D-CB12-42EB-A305-281CD70D9985} - \GoogleUpdateTaskMachineCore -> No File <==== ATTENTION Task: {93845E4F-38D6-40C3-ACE2-6D55CF43344A} - \Total Uninstall -> No File <==== ATTENTION Task: {E0CB09A0-9F85-456A-A98A-346264D47919} - \Opera scheduled Autoupdate 1454935183 -> No File <==== ATTENTION Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe FirewallRules: [{374A8604-7292-4A6B-92B2-122E7C74C464}] => (Allow) C:\Users\{username}\AppData\Local\ddnowyes.exe FirewallRules: [{4DC98209-8FB2-4AD4-B710-F4C1F304B02F}] => (Allow) C:\Users\{username}\Desktop\setup.exe FirewallRules: [{E5F2CE33-97FE-4FDC-9BE4-73F4AB0AF130}] => (Allow) C:\Users\{username}\AppData\Local\88350222.exe FirewallRules: [{0AE2515D-3007-4B4B-AB7D-17F0A16F598D}] => (Allow) C:\Users\{username}\AppData\Local\tinstall.exe Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\applica Adds the file applica.exe"="4/18/2016 2:02 PM, 4608 bytes, A Adds the file key.ini"="7/14/2016 1:46 PM, 0 bytes, A Adds the file uninstall.exe"="4/18/2016 2:14 PM, 37725 bytes, A In the existing folder C:\Users\{username}\AppData\Local Adds the file aatxtname.txt"="7/14/2016 1:44 PM, 3 bytes, A Adds the file ddnow.exe"="5/18/2016 9:35 PM, 5120 bytes, A Adds the file ddnow4.exe"="5/18/2016 9:36 PM, 5632 bytes, A Adds the file install_flash_player_21_active_x.exe"="7/14/2016 1:46 PM, 19397312 bytes, A Adds the file ok223.txt"="3/18/2016 6:00 AM, 0 bytes, A Adds the file setupone.exe"="7/14/2016 1:45 PM, 61844 bytes, A Adds the file tinstall.exe"="5/12/2016 9:44 PM, 7680 bytes, A Adds the file tinstall4.exe"="5/12/2016 9:45 PM, 7680 bytes, A Adds the file tr5b.txt"="7/14/2016 1:46 PM, 0 bytes, A Adds the folder C:\Windows\System32\Macromed\Flash Adds the file activex.vch"="7/14/2016 1:46 PM, 155815 bytes, A Adds the file Flash64_21_0_0_213.ocx"="7/14/2016 1:46 PM, 27167424 bytes, RA Adds the file FlashInstall.log"="7/14/2016 1:46 PM, 1932 bytes, A Adds the file FlashUtil64_21_0_0_213_ActiveX.dll"="7/14/2016 1:46 PM, 583872 bytes, A Adds the file FlashUtil64_21_0_0_213_ActiveX.exe"="7/14/2016 1:46 PM, 887488 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Adobe Flash Player Updater"="7/14/2016 1:46 PM, 3768 bytes, A (-)(FILE) GoogleUpdateTaskMachineCore"="5/17/2016 10:48 AM, 3642 bytes, A (-)(FILE) GoogleUpdateTaskMachineUA"="5/17/2016 10:48 AM, 3894 bytes, A (-)(FILE) Opera scheduled Autoupdate 1454935183"="7/14/2016 12:40 PM, 3854 bytes, A In the existing folder C:\Windows\SysWOW64 Adds the file FlashPlayerApp.exe"="7/14/2016 1:46 PM, 797376 bytes, A Adds the file FlashPlayerCPLApp.cpl"="7/14/2016 1:46 PM, 142528 bytes, A Adds the folder C:\Windows\SysWOW64\Macromed\Flash Adds the file activex.vch"="7/14/2016 1:46 PM, 435207 bytes, A Adds the file Flash32_21_0_0_213.ocx"="7/14/2016 1:46 PM, 19473088 bytes, RA Adds the file FlashInstall.log"="7/14/2016 1:46 PM, 2012 bytes, A Adds the file FlashPlayerUpdateService.exe"="7/14/2016 1:46 PM, 269504 bytes, A Adds the file FlashUtil32_21_0_0_213_ActiveX.dll"="7/14/2016 1:46 PM, 514240 bytes, A Adds the file FlashUtil32_21_0_0_213_ActiveX.exe"="7/14/2016 1:46 PM, 1172672 bytes, A In the existing folder C:\Windows\Tasks Adds the file Adobe Flash Player Updater.job"="7/14/2016 1:46 PM, 830 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\idot] "idot"="REG_SZ", "ok" [HKEY_LOCAL_MACHINE\SOFTWARE\Macromedia\FlashPlayerActiveX] "isESR"="REG_DWORD", 0 "isScriptDebugger"="REG_DWORD", 0 "PlayerPath"="REG_SZ", "C:\Windows\system32\Macromed\Flash\Flash64_21_0_0_213.ocx" "UninstallerPath"="REG_SZ", "C:\Windows\system32\Macromed\Flash\FlashUtil64_21_0_0_213_ActiveX.exe" "Version"="REG_SZ", "21.0.0.213" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "applica"="REG_SZ", ""C:\Program Files (x86)\applica\applica.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Applica] "DisplayName"="REG_SZ", "Applica" "Publisher"="REG_SZ", "Dotdo" "UninstallString"="REG_SZ", "C:\Program Files (x86)\Applica\uninstall.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Macromedia\FlashPlayer] "CurrentVersion"="REG_SZ", "21,0,0,213" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "applica"="REG_SZ", ""C:\Program Files (x86)\applica\applica.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX] "DisplayIcon"="REG_SZ", "C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_21_0_0_213_ActiveX.exe" "DisplayName"="REG_SZ", "Adobe Flash Player 21 ActiveX" "DisplayVersion"="REG_SZ", "21.0.0.213" "EstimatedSize"="REG_DWORD", 18942 "HelpLink"="REG_SZ", "http://www.adobe.com/go/flashplayer_support/" "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Adobe Systems Incorporated" "RequiresIESysFile"="REG_SZ", "4.70.0.1155" "UninstallString"="REG_SZ", "C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_21_0_0_213_ActiveX.exe -maintain activex" "URLInfoAbout"="REG_SZ", "http://www.adobe.com" "URLUpdateInfo"="REG_SZ", "http://www.adobe.com/go/getflashplayer/" "VersionMajor"="REG_DWORD", 21 "VersionMinor"="REG_DWORD", 0 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "applica"="REG_SZ", ""C:\Program Files (x86)\applica\applica.exe"" Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 7/14/2016 Scan Time: 3:34 PM Logfile: mbamDotoApplica.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.07.14.06 Rootkit Database: v2016.05.27.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 314945 Time Elapsed: 11 min, 6 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 1 PUP.Optional.Applica, C:\Program Files (x86)\applica\applica.exe, 2488, Delete-on-Reboot, [1bd381a2435743f35f99609a59aa8779] Modules: 0 (No malicious items detected) Registry Keys: 4 PUP.Optional.Applica, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Applica, Quarantined, [1bd381a2435743f35f99609a59aa8779], PUP.Optional.iDot, HKLM\SOFTWARE\IDOT, Quarantined, [6e8039ea3c5e96a0030d69939a6917e9], Adware.Agent, HKLM\SOFTWARE\MICROSOFT\TRACING\ddnow_RASAPI32, Quarantined, [0de1fa29ff9bea4cd0f2ae4edc2737c9], Adware.Agent, HKLM\SOFTWARE\MICROSOFT\TRACING\ddnow_RASMANCS, Quarantined, [d11df62d801a90a6caf8807cd42f18e8], Registry Values: 4 PUP.Optional.Applica, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|applica, "C:\Program Files (x86)\applica\applica.exe", Quarantined, [1bd381a2435743f35f99609a59aa8779] PUP.Optional.Applica, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|applica, "C:\Program Files (x86)\applica\applica.exe", Quarantined, [1bd381a2435743f35f99609a59aa8779] PUP.Optional.Applica, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|applica, "C:\Program Files (x86)\applica\applica.exe", Quarantined, [1bd381a2435743f35f99609a59aa8779] PUP.Optional.iDot, HKLM\SOFTWARE\IDOT|idot, ok, Quarantined, [6e8039ea3c5e96a0030d69939a6917e9] Registry Data: 0 (No malicious items detected) Folders: 1 PUP.Optional.Applica, C:\Program Files (x86)\applica, Delete-on-Reboot, [1bd381a2435743f35f99609a59aa8779], Files: 13 PUP.Optional.DotDo, C:\Users\{username}\Desktop\setup.exe, Quarantined, [945ada4907931b1b9be73c9714edf907], PUP.Optional.DotDo, C:\Users\{username}\AppData\Local\tinstall.exe, Quarantined, [5995d053b8e27fb7265c13c038c9bc44], PUP.Optional.DotDo, C:\Users\{username}\AppData\Local\tinstall4.exe, Quarantined, [ba34e63d27731c1aaed4a72cb44dd12f], PUP.Optional.Applica, C:\Program Files (x86)\applica\key.ini, Quarantined, [1bd381a2435743f35f99609a59aa8779], PUP.Optional.Applica, C:\Program Files (x86)\applica\applica.exe, Delete-on-Reboot, [1bd381a2435743f35f99609a59aa8779], PUP.Optional.Applica, C:\Program Files (x86)\applica\uninstall.exe, Quarantined, [1bd381a2435743f35f99609a59aa8779], Adware.Agent.Proxy, C:\Users\{username}\AppData\Local\ddnow.exe, Quarantined, [21cd27fc227880b61a20dd1eb0535ca4], Adware.Agent.Proxy, C:\Users\{username}\AppData\Local\ddnow4.exe, Quarantined, [21cdea391783ed49a59630cb9d660bf5], Adware.Agent.Proxy, C:\Users\{username}\AppData\Local\setupone.exe, Quarantined, [618d56cd9109a59143f975869073fc04], Adware.Agent.Proxy, C:\Users\{username}\AppData\Local\tinstall.exe, Quarantined, [43ab1b08dfbb2d09b08e94677192ba46], Adware.Agent.Trace, C:\Users\{username}\AppData\Local\aatxtname.txt, Quarantined, [09e5e43f0991d26481be11eaa85b728e], Adware.Agent.Trace, C:\Users\{username}\AppData\Local\ok223.txt, Quarantined, [c22c64bf47539b9b4af6a05b61a2fb05], Adware.Agent.Trace, C:\Users\{username}\AppData\Local\tr5b.txt, Quarantined, [e70742e16d2dba7cd968708bcb38a65a], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  8. What is Excel SA? The Malwarebytes research team has determined that Excel SA is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end. How do I know if my computer is affected by Excel SA? You may see this warning that covers your whole screen and refreshes every view seconds: and this entry in your list of installed programs: How did Excel SA get on my computer? Tech Support Scammers use different methods for distributing themselves. This particular one was installed by a trojan. How do I remove Excel SA? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application. But due to the behaviour of the program you will have to reboot into Safe Mode with Networking first. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. If you are unable to download, update or run Malwarebytes Anti-Malware, another option is to manunally delete the file "C:\Windows\Microsoft Excel\Microsoft Excel\Microsoft Excel.exe" in Safe mode. Is there anything else I need to do to get rid of Excel SA? No, Malwarebytes' Anti-Malware removes Excel SA completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Tech Supprt Scam. Technical details for experts You may see these entries in FRST logs: HKCU\...\Run: [Microsoft Excel] => C:\Windows\Microsoft Excel\Microsoft Excel\Microsoft Excel.exe [616960 2016-06-27] () C:\Windows\Microsoft Excel Microsoft Excel (HKLM-x32\...\Microsoft Excel) (Version: S.A - Microsoft Excel) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Windows\Microsoft Excel\Microsoft Excel Adds the file Microsoft Excel.exe Adds the file Uninstall.exe"="7/8/2016 8:02 AM, 468026 bytes, A Adds the file Uninstall.ini"="7/8/2016 8:02 AM, 2575 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Excel] "DisplayIcon"="REG_SZ", "C:\Windows\Microsoft Excel\Microsoft Excel\Uninstall.exe" "DisplayName"="REG_SZ", "Microsoft Excel" "DisplayVersion"="REG_SZ", "S.A" "EstimatedSize"="REG_DWORD", 1060 "InstallDate"="REG_SZ", "20160708" "InstallLocation"="REG_SZ", "C:\Windows\Microsoft Excel\Microsoft Excel\" "InstallSource"="REG_SZ", "C:\Users\{username}\Desktop\" "Language"="REG_DWORD", 1033 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Microsoft Excel" "UninstallString"="REG_SZ", "C:\Windows\Microsoft Excel\Microsoft Excel\Uninstall.exe" "VersionMajor"="REG_DWORD", 0 "VersionMinor"="REG_DWORD", 0 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Microsoft Excel"="REG_SZ", "C:\Windows\Microsoft Excel\Microsoft Excel\Microsoft Excel.exe" Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 7/5/2016 Scan Time: 11:30 AM Logfile: mbamBuzzingDhol.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.07.05.03 Rootkit Database: v2016.05.27.01 License: Premium Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 314235 Time Elapsed: 7 min, 54 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 1 PUP.Optional.BuzzingDhol, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Microsoft Excel, Quarantined, [02658f911f7b2214883f996762a2aa56], Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 1 PUP.Optional.BuzzingDhol, C:\Windows\Microsoft Excel\Microsoft Excel, Quarantined, [02658f911f7b2214883f996762a2aa56], Files: 3 PUP.Optional.BuzzingDhol, C:\Windows\Microsoft Excel\Microsoft Excel\Microsoft Excel.exe, Quarantined, [02658f911f7b2214883f996762a2aa56], PUP.Optional.BuzzingDhol, C:\Windows\Microsoft Excel\Microsoft Excel\Uninstall.exe, Quarantined, [02658f911f7b2214883f996762a2aa56], PUP.Optional.BuzzingDhol, C:\Windows\Microsoft Excel\Microsoft Excel\Uninstall.ini, Quarantined, [02658f911f7b2214883f996762a2aa56], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  9. What is OneClickDownloader? The Malwarebytes research team has determined that OneClickDownloader is a bundler. These so-called "bundlers" download and install other software on your system, often other PUPs and adware. How do I know if my computer is affected by OneClickDownloader? You may see this entry in your list of installed software: and these warnings during install: How did OneClickDownloader get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was offered as a download manager. How do I remove OneClickDownloader? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of OneClickDownloader? No, Malwarebytes' Anti-Malware removes OneClickDownloader completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the OneClickDownloader hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: CHR HKLM-x32\...\Chrome\Extension: [jplinpmadfkdgipabgcdchbdikologlh] - C:\Program Files (x86)\1ClickDownload\1click11.crx C:\Program Files (x86)\1ClickDownload 1ClickDownloader (HKLM-x32\...\1ClickDownloader) (Version: 2.1 Build 26473 - 1ClickDownload) <==== ATTENTION Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Downloads Adds the file Download magnetxt=urnbtihNHXA37QNI4LETIDMQPEOPAKJGTS5Z76E.lnk"="7/7/2016 9:00 AM, 1659 bytes, A Adds the folder C:\Program Files (x86)\1ClickDownload Adds the file magnetxt=urnbtihNHXA37QNI4LETIDMQPEOPAKJGTS5Z76E.magnet"="7/7/2016 8:58 AM, 575 bytes, A Adds the file uninstall.exe"="7/7/2016 9:00 AM, 47474 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{5B1881D1-D9C7-46df-B041-1E593282C7D0}\Instl\Data] "afltId"="REG_SZ", "11111111" "hrdId"="REG_SZ", "11111111" "prtnrId"="REG_SZ", "11111111" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\Instl\Data] "afltId"="REG_SZ", "11111111" "hrdId"="REG_SZ", "11111111" "prtnrId"="REG_SZ", "11111111" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data] "afltId"="REG_SZ", "11111111" "hrdId"="REG_SZ", "11111111" "prtnrId"="REG_SZ", "11111111" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4BD8E034-E0F4-4509-A753-467A8E854CD8}] "InstallDate"="REG_SZ", "20160503" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}] "InstallDate"="REG_SZ", "20160504" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A76AA284-E52D-47E6-9E4F-B85DBF8E35C3}] "InstallDate"="REG_SZ", "20160503" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IMBoosterARP] "InstallDate"="REG_SZ", "20160503" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchTheWebARP] "InstallDate"="REG_SZ", "20160503" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jplinpmadfkdgipabgcdchbdikologlh] "path"="REG_SZ", "C:\Program Files (x86)\1ClickDownload\1click11.crx" "version"="REG_SZ", "1.1" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4BD8E034-E0F4-4509-A753-467A8E854CD8}] "InstallDate"="REG_SZ", "20160503" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}] "InstallDate"="REG_SZ", "20160504" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A76AA284-E52D-47E6-9E4F-B85DBF8E35C3}] "InstallDate"="REG_SZ", "20160503" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\1ClickDownloader] "DisplayName"="REG_SZ", "1ClickDownloader" "DisplayVersion"="REG_SZ", "2.1 Build 26473" "Publisher"="REG_SZ", "1ClickDownload" "UninstallString"="REG_SZ", "C:\Program Files (x86)\1ClickDownload\uninstall.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IMBoosterARP] "InstallDate"="REG_SZ", "20160503" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SearchTheWebARP] "InstallDate"="REG_SZ", "20160503" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SweetIM] "simapp_id"="REG_SZ", "11111111" [HKEY_CURRENT_USER\Software\1ClickDownload] "LastInstall"="REG_SZ", "30529582" "LastInstall2"="REG_SZ", "30529582" "UID"="REG_SZ", "255245968" [HKEY_CURRENT_USER\Software\IncrediMail] "ApplicationPath"="REG_SZ", "11111111" [HKEY_CURRENT_USER\Software\SweetIM] "simapp_id"="REG_SZ", "11111111" Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 7/7/2016 Scan Time: 9:09 AM Logfile: mbam1ClickDownloader.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.07.07.01 Rootkit Database: v2016.05.27.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 314381 Time Elapsed: 8 min, 47 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 11 Adware.1ClickDownload, HKLM\SOFTWARE\CLASSES\APPID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}, Quarantined, [71bc5ec3d6c4e74fc6eeeea932d035cb], Adware.1ClickDownload, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}, Quarantined, [71bc5ec3d6c4e74fc6eeeea932d035cb], Adware.1ClickDownload, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}, Quarantined, [71bc5ec3d6c4e74fc6eeeea932d035cb], PUP.Optional.Iminent, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IMBoosterARP, Quarantined, [b07dfb260e8c1224e434693ee61d748c], PUP.Optional.Yontoo, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}, Quarantined, [c469f32ee6b45bdb50af805eb350bd43], PUP.Optional.SweetIM, HKLM\SOFTWARE\WOW6432NODE\SweetIM, Quarantined, [5bd2f1307c1ee74f52af3a7ece35d12f], PUP.Optional.1ClickDownload, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\jplinpmadfkdgipabgcdchbdikologlh, Quarantined, [ec41ea375842cc6a3ea040aeea19db25], PUP.Optional.Iminent, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IMBoosterARP, Quarantined, [4de09c858e0c0e28ce4a386f53b009f7], PUP.Optional.Yontoo, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}, Quarantined, [2706f62bb2e881b5906f4b93748fae52], PUP.Optional.1ClickDownload, HKCU\SOFTWARE\1ClickDownload, Quarantined, [9a93d0515e3c2c0a106aff97bf44d22e], PUP.Optional.SweetIM, HKCU\SOFTWARE\SweetIM, Quarantined, [280560c12674df5725d871465fa4a65a], Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  10. What is NetSecure? The Malwarebytes research team has determined that NetSecure is adware. These adware applications display advertisements not originating from the sites you are browsing. How do I know if my computer is affected by NetSecure? You may see these proxy-setting in Internet Explorer > Internet Options > Connections > LAN Settings : and find this visual basic script in your Windows directory: How did NetSecure get on my computer? Adware applications use different methods for distributing themselves. This particular one was bundled with other software. How do I remove NetSecure? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of NetSecure? No, Malwarebytes' Anti-Malware removes NetSecure completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the NetSecure adware. It would have warned you before the adware could install itself, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: (The Privoxy team - www.privoxy.org) C:\Windows\{computername}_020716\oxy.exe (www.searchz.co) C:\Windows\{username}-pc_020716\netsafe.exe HKLM-x32\...\Run: [Secured Net] => "C:\Windows\{computername}_020716\netsafe.exe" ProxyEnable: [{UserID}] => Proxy is enabled. ProxyServer: [{UserID}] => 127.0.0.1:8118 R2 NetSecure; C:\Windows\{computername}_020716\oxy.exe [373248 2016-01-22] (The Privoxy team - www.privoxy.org) [File not signed] C:\Windows\{computername}_020716 C:\Windows\ie.vbs () C:\Windows\{computername}_020716\mgwz.dll () C:\Windows\{computername}_020716\Trackerbird.Tracker.dll Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- In the existing folder C:\Windows Adds the file ie.vbs"="7/2/2016 8:58 AM, 133 bytes, A Adds the folder C:\Windows\{computername}_020716 Adds the file config.txt"="3/28/2016 3:22 PM, 407 bytes, A Adds the file default.action"="2/7/2016 6:10 AM, 21 bytes, A Adds the file default.filter"="12/31/2003 10:52 AM, 108 bytes, A Adds the file Interop.SHDocVw.dll"="4/4/2016 6:03 AM, 143872 bytes, A Adds the file mgwz.dll"="1/22/2016 4:45 AM, 86528 bytes, A Adds the file netsafe.exe"="7/2/2016 9:15 AM, 393216 bytes, A Adds the file netsafe.exe.config"="5/26/2016 3:53 PM, 146 bytes, A Adds the file oxy.exe"="1/22/2016 4:45 AM, 373248 bytes, A Adds the file oxy.log"="7/6/2016 8:38 AM, 0 bytes, A Adds the file tbconfig.xml"="7/6/2016 8:38 AM, 4711 bytes, A Adds the file tbinfo.xml"="7/6/2016 8:38 AM, 1041 bytes, A Adds the file tblog.log"="7/6/2016 8:38 AM, 211 bytes, A Adds the file Trackerbird.Tracker.dll"="12/7/2015 5:00 AM, 20600 bytes, A Adds the file Trackerbird.Tracker.xml"="12/7/2015 4:59 AM, 20874 bytes, A Adds the file Trackerbird.x64.dll"="12/7/2015 5:00 AM, 1265784 bytes, A Adds the file Trackerbird.x86.dll"="12/7/2015 5:00 AM, 900216 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "Secured Net"="REG_SZ", ""C:\Windows\{computername}_020716\netsafe.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB71BAC7-A250-4A3D-8FDB-AF92D73FD1F9}_is1] "DisplayVersion"="REG_SZ", "4.01.0" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetSecure] "Description"="REG_SZ", "Secured Layered Network Service" "DisplayName"="REG_SZ", "NetSecure" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, "C:\Windows\{computername}_020716\oxy.exe --service" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 "WOW64"="REG_DWORD", 1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings] "ProxyEnable"= REG_DWORD, 1 "ProxyServer"="REG_SZ", "127.0.0.1:8118" Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 7/6/2016 Scan Time: 8:59 AM Logfile: mbamNetSecure.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.07.06.02 Rootkit Database: v2016.05.27.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 314697 Time Elapsed: 9 min, 14 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 2 PUP.Optional.Privoxy, C:\Windows\{computername}_020716\netsafe.exe, 2680, Delete-on-Reboot, [0bbf9b85732711257110d0d9f41029d7] PUP.Optional.Privoxy, C:\Windows\{computername}_020716\oxy.exe, 3564, Delete-on-Reboot, [6664f030871391a5ff818623be460bf5] Modules: 3 PUP.Optional.Privoxy, C:\Windows\{computername}_020716\mgwz.dll, Delete-on-Reboot, [f2d8a57b9ffbec4a99fe51580400f50b], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\Trackerbird.Tracker.dll, Delete-on-Reboot, [f2d8a57b9ffbec4a99fe51580400f50b], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\Trackerbird.x86.dll, Delete-on-Reboot, [f2d8a57b9ffbec4a99fe51580400f50b], Registry Keys: 1 PUP.Optional.Privoxy, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NETSECURE, Quarantined, [6664f030871391a5ff818623be460bf5], Registry Values: 3 PUP.Optional.Privoxy, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Secured Net, "C:\Windows\{computername}_020716\netsafe.exe", Quarantined, [0bbf9b85732711257110d0d9f41029d7] PUP.Optional.Privoxy, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NETSECURE|ImagePath, C:\Windows\{computername}_020716\oxy.exe --service, Quarantined, [6664f030871391a5ff818623be460bf5] PUM.Optional.ProxyHijacker, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|ProxyServer, 127.0.0.1:8118, Quarantined, [7951968af7a3e4520054d5fdbb48dc24] Registry Data: 0 (No malicious items detected) Folders: 1 PUP.Optional.Privoxy, C:\Windows\{computername}_020716, Delete-on-Reboot, [f2d8a57b9ffbec4a99fe51580400f50b], Files: 18 PUP.Optional.NetSecure, C:\Users\{username}\Desktop\NetSecure.exe, Quarantined, [399166ba5d3d2412b9dab3f63cc8f907], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\netsafe.exe, Delete-on-Reboot, [0bbf9b85732711257110d0d9f41029d7], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\oxy.exe, Delete-on-Reboot, [6664f030871391a5ff818623be460bf5], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\config.txt, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\default.action, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\default.filter, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\Interop.SHDocVw.dll, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\mgwz.dll, Delete-on-Reboot, [f2d8a57b9ffbec4a99fe51580400f50b], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\netsafe.exe.config, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\oxy.log, Delete-on-Reboot, [f2d8a57b9ffbec4a99fe51580400f50b], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\tbconfig.xml, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\tbinfo.xml, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\tblog.log, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\Trackerbird.Tracker.dll, Delete-on-Reboot, [f2d8a57b9ffbec4a99fe51580400f50b], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\Trackerbird.Tracker.xml, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\Trackerbird.x64.dll, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\Trackerbird.x86.dll, Delete-on-Reboot, [f2d8a57b9ffbec4a99fe51580400f50b], PUP.Optional.AdServer, C:\Windows\ie.vbs, Quarantined, [5971829e099178bea1f718918a7a8878], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  11. What is Pro PC Clean? The Malwarebytes research team has determined that Pro PC Clean is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end. For more information on this particular type of Windows Shell hijackers please read this blogpost. How do I know if my computer is affected by Pro PC Clean? You may see this warning during install: and this entry in your list of installed programs: How did Pro PC Clean get on my computer? Tech Support Scammers use different methods for distributing themselves. This one makes it appear the system hangs after logging in, while displaying a pop-up with the Tech Support Scammers number. How do I remove Pro PC Clean? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application. But due to the way this TechSupportScam installs itself we will need a way to bypass it. If you already have Malwarebytes Anti-Malware installed, you can use Chameleon to get rid of this infection. In the TechSupportScam screen use the keycombination Ctrl-Alt-Del. From the resulting list of options choose "Start Task Manager". In the list of processes find every process called "error(.exe)", select them one by one and click on the "End Process" button. Confirm that you want to end the process. Then in the Taskmanager menu click "File" > "New Task (Run...)" > "Browse..." In the resulting explorer window navigate to the Chameleon folder, usually "C:\Program Files (x86)\Malwarebytes Anti-Malware\Chameleon\Windows" and doubleclick on "iexplore(.exe)". and follow the instructions ("Press any key to continue"). Chameleon will kill the process and start Malwarebytes Anti-Malware to finish it up. Reboot when prompted to do so and everything should be fine. If you do not have Malwarebytes Anti-Malware installed, please proceed as follows. In the TechSupportScam screen use the keycombination Ctrl-Alt-Del. From the resulting list of options choose "Start Task Manager". In the list of processes find every process called "error(.exe)", select them one by one and click on the "End Process" button. Confirm that you want to end the process. Then in the Taskmanager menu click "File" > "New Task (Run...)" and type "explorer" and then press "Enter". You should see your Desktop again. If not, navigate to "C:\Program Files (x86)" and find a folder that has the same name as your computer. In that folder find the file "error(.exe)" and delete the file. Reboot when it is gone and your system should boot normal again. Next, download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-version.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to the following: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is found, it will be downloaded before the scan proceeds. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Pro PC Clean? No, Malwarebytes' Anti-Malware removes Pro PC Clean completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this Tech Support Scam. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Tech Supprt Scam. Technical details for experts You may see these entries in FRST logs: HKLM-x32\...\Winlogon: [Shell] C:\Program Files (x86)\Pro PC Clean\error.exe [320512 ] () <=== ATTENTION HKCU\...\Winlogon: [Shell] C:\Program Files (x86)\Pro PC Clean\error.exe [320512 2016-04-20] () <==== ATTENTION C:\Program Files (x86)\Pro PC Clean Pro PC Clean (HKLM-x32\...\Pro PC Clean) (Version: - ) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\Pro PC Clean Adds the file error.exe"="4/20/2016 6:35 PM, 320512 bytes, A Adds the file rst30.bat"="4/20/2016 3:39 PM, 158 bytes, A Adds the file Uninstall.exe"="7/5/2016 8:38 AM, 75315 bytes, A Adds the file Uninstall.ini"="7/5/2016 8:38 AM, 1555 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Pro PC Clean] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\Pro PC Clean\Uninstall.exe" "DisplayName"="REG_SZ", "Pro PC Clean" "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "UninstallString"="REG_SZ", "C:\Program Files (x86)\Pro PC Clean\Uninstall.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell" = REG_SZ, "C:\Program Files (x86)\Pro PC Clean\error.exe" [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell"="REG_SZ", "C:\Program Files (x86)\Pro PC Clean\error.exe" Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 7/5/2016 Scan Time: 8:57 AM Logfile: mbamProPCClean.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.07.05.02 Rootkit Database: v2016.05.27.01 License: Premium Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 314243 Time Elapsed: 8 min, 21 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 1 Rogue.TechSupportScam, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Pro PC Clean, Quarantined, [bcaa54cc65353df9dcfe7b8215ee718f], Registry Values: 0 (No malicious items detected) Registry Data: 2 Hijack.Shell, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|Shell, C:\Program Files (x86)\Pro PC Clean\error.exe, Good: (Explorer.exe), Bad: (C:\Program Files (x86)\Pro PC Clean\error.exe),Replaced,[aabcbc647228ae886bd9c1b9857fb54b] Hijack.Shell, HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|Shell, C:\Program Files (x86)\Pro PC Clean\error.exe, Good: (Explorer.exe), Bad: (C:\Program Files (x86)\Pro PC Clean\error.exe),Replaced,[7aecf9279109e452aba1cab020e4ef11] Folders: 1 Rogue.TechSupportScam, C:\Program Files (x86)\Pro PC Clean, Quarantined, [bcaa54cc65353df9dcfe7b8215ee718f], Files: 5 Rogue.TechSupportScam, C:\Users\{username}\Desktop\f0844.exe, Quarantined, [3a2c3ae67e1c1c1a2c3e66724db4d828], Rogue.TechSupportScam, C:\Program Files (x86)\Pro PC Clean\error.exe, Quarantined, [5c0a849c6a3024125340e7709e62d22e], Rogue.TechSupportScam, C:\Program Files (x86)\Pro PC Clean\rst30.bat, Quarantined, [bcaa54cc65353df9dcfe7b8215ee718f], Rogue.TechSupportScam, C:\Program Files (x86)\Pro PC Clean\Uninstall.exe, Quarantined, [bcaa54cc65353df9dcfe7b8215ee718f], Rogue.TechSupportScam, C:\Program Files (x86)\Pro PC Clean\Uninstall.ini, Quarantined, [bcaa54cc65353df9dcfe7b8215ee718f], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  12. If none of the instructions in these tutorials worked to fully resolve your issues then please do the following to receive free one-on-one expert assistance with cleaning your system: Please read and follow the directions here, skipping any steps you are unable to complete. Then create a NEW topic here. One of the expert helpers there will give you one on one assistance when one becomes available. Please note that it may take 48 hours or more for you to receive a response in the malware removal forum, as it is often busy at times. Please do not reply to your own post asking for help unless it's been more than 48 hours since you originally posted, as this can make it appear as though you are being helped and take longer for you to get help. If you are unable to do all or any of the steps in the link to the directions above, just post your problem into the forum in the above link anyway and someone will be able to assist you. If you prefer to be assisted via email you may contact Malwarebytes Consumer Support and one of our support staff members will assist you directly. If you are a reseller, affiliate, technician, corporate, business, educational, government or non-profit customer then please contact Malwarebytes Business Support and include full contact details along with your Cleverbridge order Reference # when you do to ensure that you receive prompt assistance. Thank you And remember, an ounce of prevention is worth a pound of cure. Next time keep yourself from getting infected in the first place by adding Malwarebytes Anti-Malware Premium to your current security setup to keep these infections from getting to your systems.
  13. Sometimes after removing malware or potentially unwanted programs (PUPs) scheduled tasks are left behind which might result in "missing file" errors. This post will explain how you can delete unwanted scheduled tasks. How to open the Task Scheduler Windows XP and Windows 7 To open Scheduled Tasks, click Start, click All Programs, point to Accessories, point to System Tools, and then click Scheduled Tasks. Windows 8 and Windows 10 Use the Search option to search for "Schedule" and choose "Schedule Task" to open the Task Scheduler Review the Scheduled Tasks Select the "Task Scheduler Library" to see a list of Scheduled Tasks. You can select any single task to see the properties of that task in the lower pane. Which file will be run when the Scheduled Task is triggered, can be seen under the "Actions" tab. Delete a Scheduled Task If you have found a task that you wish to remove, you can select the task and click on "Delete" under "Actions" > "Selected Item" There will be a prompt asking "Do you want to delete this task?" Click "Yes" if you are sure the task should be deleted. If you are unsure, ask an expert or post a question on the forums.
  14. Sometimes browser hijackers alter the shortcuts on your desktop, taskbar and start menu to make sure you visit the sites they want you to visit or to enable them to deliver their advertisements. So we will show you how to create new, clean shortcuts If the infected shortcuts are pinned at the taskbar, right-click the icon and choose "Unpin this program from taskbar" If the "Unpin" method does not work you can remove the shortcuts from your taskbar in the hidden folder C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar Removing them from there may require a reboot for the removal to take effect. Once the altered shortcut is removed, rightclick your desktop and choose "New" -> "Shortcut" Then browse to the location of the executable you want to start with the shortcut. The common locations for the most used browsers are: "C:\Program Files\Internet Explorer\iexplore.exe" "C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Program Files\Mozilla Firefox\firefox.exe" "C:\Program Files\Opera\launcher.exe" "Program Files" may be "Program Files (x86)" if you are running a 64 bit OS. Please note that the quotes are necessary for these shortcuts to work. Then click "Next" and "Finish". Check if the shortcut is working properly and drag it to the taskbar, which will offer you the option to pin it . You can use the same procedure and pin the shortcut to the Startmenu by dragging the icon to the start button, which will offer you to pin it to the start menu. Existing Shortcuts on the desktop can also be cleaned by rightclicking them, then choose "Properties" and in the "Target" field, remove everything after the path to the executable. Remember to leave the quotes.
  15. What should I do if none of my security applications will run? If none of your security applications (including an antivirus or antispyware program, Malwarebytes Anti-Malware, or Malwarebytes Anti-Rootkit) will run, it is possible that you've been infected with something that is preventing these applications from running. Typically this is a rootkit infection, and can be very difficult to remove. Luckily, we have created a specialized version of Malwarebytes Anti-Rootkit that can help remove these threats. This tool can be downloaded from this link: Malwarebytes Anti-Rootkit Supplement Once you have downloaded the tool (contained in a .zip folder), you will need to extract the contents. We recommend extracting to your desktop. If you are unsure how to extract the contents of the .zip file, please see this tutorial from Microsoft: How to extract zipped files After the files are extracted, double-click the mbar.cmd file. If you are unsure which file this is, try double-clicking both files named mbar - only one of them will run. Once the tool launches, follow the on-screen instructions to perform a scan with Malwarebytes Anti-Rootkit. Only advanced users should remove infections by themselves.