Metallica

Moderators
  • Content count

    1,566
  • Joined

  • Last visited

About Metallica

  • Rank
    Forum Deity
  • Birthday 05/19/1963

Contact Methods

  • ICQ
    0

Profile Information

  • Location
    Netherlands

Recent Profile Visitors

150,807 profile views
  1. What is Regfixer Offer TSS? The Malwarebytes research team has determined that Regfixer Offer TSS is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end. How do I know if my computer is affected by Regfixer Offer TSS? You will see this screen immediately after running the file and when the computer boots: How did Regfixer Offer TSS get on my computer? Tech Support Scammers use different methods for distributing themselves. This particular one was offered as a free version of Regfixer. But it only installs files that will produce a fake Windows warning screen with the Tech Support Scammers number. How do I remove Regfixer Offer TSS? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application, but due to the nature of the infection it takes some extra steps. The screenlocker keeps grabbing focus so it's virtually impossible to make use of Task Manager. So the easiest option is to reboot into Safe Mode with Networking and then follow the instructions below. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Regfixer Offer TSS? No, Malwarebytes' Anti-Malware removes Regfixer Offer TSS completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Tech Supprt Scam. Technical details for experts You may see these entries in FRST logs: Startup: C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FreeDownloadmanager.exe [2016-08-26] () Startup: C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tascmgr.exe.lnk [2016-08-26] ShortcutTarget: tascmgr.exe.lnk -> C:\Users\{username}\AppData\Roaming\MicrosoftExch\tascmgr.exe () Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup Adds the file FreeDownloadmanager.exe"="8/26/2016 8:47 AM, 545280 bytes, A Adds the file tascmgr.exe.lnk"="8/26/2016 8:51 AM, 1073 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\MicrosoftExch Adds the file installdetails.txt"="8/26/2016 8:48 AM, 0 bytes, A Adds the file Interop.IWshRuntimeLibrary.dll"="8/26/2016 8:47 AM, 49152 bytes, A Adds the file Interop.Scripting.dll"="8/26/2016 8:47 AM, 32768 bytes, A Adds the file PlatformInfo.dll"="8/26/2016 8:47 AM, 27136 bytes, A Adds the file tascmgr.exe"="8/26/2016 8:47 AM, 78336 bytes, A Adds the file tascmgr.exe.config"="8/26/2016 8:47 AM, 643 bytes, A Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 8/26/2016 Scan Time: 9:01 AM Logfile: mbamRegfixOffer.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.08.26.04 Rootkit Database: v2016.08.15.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Disabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 318476 Time Elapsed: 8 min, 18 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 1 Rogue.TechSupportScam, C:\Users\{username}\AppData\Roaming\MicrosoftExch, Quarantined, [0d9f9fb06139f343b243c6092dd7ba46], Files: 12 Backdoor.Bot, C:\Users\{username}\AppData\Roaming\MicrosoftExch\tascmgr.exe, Quarantined, [7c30cb84405a1c1a0f12cff80103ab55], Trojan.Injector, C:\Users\{username}\Desktop\FreeDownloadmanager.exe, Quarantined, [78344807f6a4cc6abb030dcc9470629e], Trojan.Downloader, C:\Users\{username}\Desktop\regfixer_offer.exe, Quarantined, [4d5fa5aab0ea62d4d608835563a19769], Backdoor.Bot, C:\Users\{username}\Desktop\tascmgr.exe, Quarantined, [6b41d07f4e4c3cfaa47db116996bc33d], Trojan.Injector, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FreeDownloadmanager.exe, Quarantined, [5b51aba49505d561734bfedbc242f10f], PUP.Optional.FreeDownloadManager, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FreeDownloadmanager.exe, Quarantined, [119bbd926d2d44f227cfaf110cf835cb], Trojan.TechSupportScam, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tascmgr.exe.lnk, Quarantined, [ecc06ce366345cda1264cff24db7f60a], Rogue.TechSupportScam, C:\Users\{username}\AppData\Roaming\MicrosoftExch\tascmgr.exe.config, Quarantined, [0d9f9fb06139f343b243c6092dd7ba46], Rogue.TechSupportScam, C:\Users\{username}\AppData\Roaming\MicrosoftExch\installdetails.txt, Quarantined, [0d9f9fb06139f343b243c6092dd7ba46], Rogue.TechSupportScam, C:\Users\{username}\AppData\Roaming\MicrosoftExch\Interop.IWshRuntimeLibrary.dll, Quarantined, [0d9f9fb06139f343b243c6092dd7ba46], Rogue.TechSupportScam, C:\Users\{username}\AppData\Roaming\MicrosoftExch\Interop.Scripting.dll, Quarantined, [0d9f9fb06139f343b243c6092dd7ba46], Rogue.TechSupportScam, C:\Users\{username}\AppData\Roaming\MicrosoftExch\PlatformInfo.dll, Quarantined, [0d9f9fb06139f343b243c6092dd7ba46], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  2. What is WindowsUpdate TSS? The Malwarebytes research team has determined that WindowsUpdate TSS is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end. How do I know if my computer is affected by WindowsUpdate TSS? You may see these warnings during install: How did WindowsUpdate TSS get on my computer? Tech Support Scammers use different methods for distributing themselves. This particular one was offered as a fake Windows Update, but it only installs files that will produce a fake Windows Activation screen with the Tech Support Scammers number. How do I remove WindowsUpdate TSS? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application, but due to the nature of the infection it takes some extra steps. If you click on the example picture of the product key, a few options will appear: Click on the CMD button to open a Command Prompt. In the Command prompt type taskmgr and hit Enter to open the Taskmanager. Select the process called fatalerror(.exe) and click on End Process. Then type explorer in the Command prompt and hit Enter to open a file explorer window. From there you can navigate around and follow the instructions below. Another option is to reboot into Safe Mode with Networking and then follow the instructions below. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Note: the product key to unlock this Tech Support Scam is qwert-yuiop-asdfg-hjklz-xcvbn Enter that in the form and click on the ENTER button and you see this: Unfortunately clicking finish stops fatalerror.exe but it does not trigger explorer, so you will have to reboot or use Ctrl-Alt-Del to fire up the Task Manager. Is there anything else I need to do to get rid of WindowsUpdate TSS? No, Malwarebytes' Anti-Malware removes WindowsUpdate TSS completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Tech Supprt Scam. Technical details for experts You may see these entries in FRST logs: HKCU\...\Run: [L] => C:\Program Files (x86)\WindowsUpdate\fatalerror.exe [532480 2016-08-16] () HKCU\...\Winlogon: [Shell] C:\Program Files (x86)\WindowsUpdate\fatalerror.exe [532480 2016-08-16] () <==== ATTENTION C:\Program Files (x86)\WindowsUpdate Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\WindowsUpdate Adds the file fatalerror.exe"="8/16/2016 3:51 AM, 532480 bytes, A Adds the file sr60.bat"="8/16/2016 4:28 AM, 124 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "L"="REG_SZ", "C:\Program Files (x86)\WindowsUpdate\fatalerror.exe" [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell"="REG_SZ", "C:\Program Files (x86)\WindowsUpdate\fatalerror.exe" [HKEY_CURRENT_USER\Software\WindowsUpdate\WindowsUpdate] "Path"="REG_SZ", "" Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 8/25/2016 Scan Time: 9:27 AM Logfile: mbamWindowsUpdateTSS.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.08.25.03 Rootkit Database: v2016.08.15.01 License: Premium Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 318670 Time Elapsed: 8 min, 41 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 2 Ransom.TechSupportScam, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|L, C:\Program Files (x86)\WindowsUpdate\fatalerror.exe, Quarantined, [2027b7981a8070c66cd334a45ba96a96] Backdoor.Agent.WU, HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|Shell, C:\Program Files (x86)\WindowsUpdate\fatalerror.exe, Quarantined, [202777d8fd9dc96d5fab3093986b39c7] Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 2 Ransom.TechSupportScam, C:\Program Files (x86)\WindowsUpdate\fatalerror.exe, Quarantined, [2027b7981a8070c66cd334a45ba96a96], Ransom.TechSupportScam, C:\Users\{username}\Desktop\WindowsUpdate_Setup.exe, Quarantined, [6fd8242b6832a78f55e9ab2d2dd7669a], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  3. What is Window Rates Manager? The Malwarebytes research team has determined that Window Rates Manager is adware. These adware applications display advertisements not originating from the sites you are browsing. This one belongs to the WinRange family. How do I know if my computer is affected by Window Rates Manager? You may see this entry in your list of installed programs: How did Window Rates Manager get on my computer? Adware applications use different methods for distributing themselves. This particular one was bundled with other software. How do I remove Window Rates Manager? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Window Rates Manager? No, Malwarebytes' Anti-Malware removes Window Rates Manager completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Window Rates Manager adware. It would have warned you before the adware could install itself, giving you a chance to stop it before it became too late. The web protection module also blocks some of the connections the installer tries to make: Technical details for experts Possible signs in FRST logs: (Juston LLC) C:\Program Files (x86)\winrate\WinRateSync.exe (Juston LLC) C:\Program Files (x86)\winrate\WinRateSync_.exe (Juston LLC) C:\Program Files (x86)\winrate\WinRate.exe (Juston LLC) C:\Program Files (x86)\winrate\WinRate.exe (Juston LLC) C:\Program Files (x86)\winrate\WinRate_.exe (Juston LLC) C:\Program Files (x86)\winrate\WinRate_.exe R2 WinRateSvc; C:\Program Files (x86)\winrate\WinRateSync.exe [134656 2016-08-13] (Juston LLC) [File not signed] R2 WinRateSvc2; C:\Program Files (x86)\winrate\WinRateSync_.exe [128512 2016-08-13] (Juston LLC) [File not signed] C:\Program Files (x86)\winrate Window Rates Manager (HKLM-x32\...\Window Rates Manager) (Version: 1.68 - Juston LLC) () C:\Program Files (x86)\WinRate\libcef.dll () C:\Program Files (x86)\WinRate\log4cplusU.dll Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\winrate Adds the file cef.pak"="6/20/2016 8:37 AM, 2749972 bytes, A Adds the file cef_100_percent.pak"="6/20/2016 8:37 AM, 146067 bytes, A Adds the file cef_200_percent.pak"="6/20/2016 8:37 AM, 235262 bytes, A Adds the file cef_extensions.pak"="6/20/2016 8:37 AM, 4409164 bytes, A Adds the file d3dcompiler_43.dll"="6/20/2016 8:37 AM, 2106216 bytes, A Adds the file d3dcompiler_47.dll"="6/20/2016 8:37 AM, 3709120 bytes, A Adds the file devtools_resources.pak"="6/20/2016 8:37 AM, 4740603 bytes, A Adds the file icudtl.dat"="6/20/2016 8:37 AM, 10127152 bytes, A Adds the file libcef.dll"="6/20/2016 8:37 AM, 52043776 bytes, A Adds the file libcurl.dll"="10/27/2014 6:11 PM, 1358336 bytes, A Adds the file libEGL.dll"="6/20/2016 8:37 AM, 80384 bytes, A Adds the file libGLESv2.dll"="6/20/2016 8:37 AM, 1734656 bytes, A Adds the file log4cplusU.dll"="1/14/2015 11:55 AM, 386560 bytes, A Adds the file msvcp120.dll"="11/24/2014 9:23 AM, 455328 bytes, A Adds the file msvcr120.dll"="11/24/2014 9:23 AM, 970912 bytes, A Adds the file natives_blob.bin"="6/20/2016 8:37 AM, 415490 bytes, A Adds the file release.log"="8/22/2016 9:06 AM, 0 bytes, A Adds the file snapshot_blob.bin"="6/20/2016 8:37 AM, 517972 bytes, A Adds the file Uninstall.exe"="8/22/2016 9:06 AM, 141835 bytes, A Adds the file widevinecdmadapter.dll"="6/20/2016 8:37 AM, 212992 bytes, A Adds the file WinRate.exe"="8/13/2016 7:25 PM, 693248 bytes, A Adds the file WinRate_.exe"="8/13/2016 7:26 PM, 693248 bytes, A Adds the file WinRateSync.exe"="8/13/2016 7:34 PM, 134656 bytes, A Adds the file WinRateSync_.exe"="8/13/2016 7:36 PM, 128512 bytes, A Adds the file winratetask.exe"="8/13/2016 7:29 PM, 1822208 bytes, A Adds the file winratetask_.exe"="8/13/2016 7:30 PM, 1822720 bytes, A Adds the file wow_helper.exe"="5/13/2016 9:59 AM, 67072 bytes, A Adds the folder C:\Program Files (x86)\winrate\cache Adds the file index"="8/22/2016 9:06 AM, 262512 bytes, A Adds the file Visited Links"="8/22/2016 9:08 AM, 131072 bytes, A Adds the folder C:\Program Files (x86)\winrate\cache1 Adds the file Cookies"="8/22/2016 9:09 AM, 12288 bytes, A Adds the file Cookies-journal"="8/22/2016 9:09 AM, 0 bytes, A Adds the file index"="8/22/2016 9:06 AM, 262512 bytes, A Adds the file Visited Links"="8/22/2016 9:09 AM, 131072 bytes, A Adds the folder C:\Program Files (x86)\winrate\locales Adds the folder C:\Program Files (x86)\winrate\plugins Adds the file pepflashplayer.dll"="6/30/2016 3:25 AM, 31555776 bytes, A Adds the folder C:\Program Files (x86)\winrate\Update Adds the folder C:\Users\{username}\AppData\Local\CEF\User Data\Dictionaries Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\okwinrate] "ID"="REG_SZ", "722CD293-0956-4BA0-B6AE-9FFDEDA33DE0" "InstallAMID"="REG_SZ", "" "InstallSID"="REG_SZ", "" "Version"="REG_SZ", "168" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Window Rates Manager] "DisplayName"="REG_SZ", "Window Rates Manager" "DisplayVersion"="REG_SZ", "1.68" "EstimatedSize"="REG_DWORD", 85886 "InstallDate"="REG_SZ", "20150822" "Publisher"="REG_SZ", "Juston LLC" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\winrate\uninstall.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\okwinrate] "ID"="REG_SZ", "722CD293-0956-4BA0-B6AE-9FFDEDA33DE0" "InstallAMID"="REG_SZ", "0" "InstallDate"="REG_SZ", "22.08.2016 9:06" "InstallSID"="REG_SZ", "" "restart1"="REG_SZ", "1" "restart2"="REG_SZ", "1" "Success"="REG_SZ", "1" "Version"="REG_SZ", "168" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinRateSvc] "DisplayName"="REG_SZ", "Window Rates Manager" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, "C:\Program Files (x86)\winrate\WinRateSync.exe" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 "WOW64"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinRateSvc2] "DisplayName"="REG_SZ", "Window Rates Manager2" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, "C:\Program Files (x86)\winrate\WinRateSync_.exe" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 "WOW64"="REG_DWORD", 1 [HKEY_CURRENT_USER\Software\winmnt] "Success"="REG_SZ", "1" Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 8/24/2016 Scan Time: 8:27 AM Logfile: mbamWindowRateManager.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.08.24.03 Rootkit Database: v2016.08.15.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 319189 Time Elapsed: 8 min, 34 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 9 PUP.Optional.WinRate, C:\Program Files (x86)\winrate\WinRateSync.exe, 2016, Delete-on-Reboot, [509367e7a0fa00360c0f7a5f40c4619f] PUP.Optional.WinRate, C:\Program Files (x86)\winrate\WinRateSync_.exe, 3664, Delete-on-Reboot, [cf14014d3565cc6aa378499073916799] PUP.Optional.WinRate, C:\Program Files (x86)\winrate\WinRate.exe, 2884, Delete-on-Reboot, [ecf7a2acf4a689adfb20f0e91be9bc44] PUP.Optional.WinRate, C:\Program Files (x86)\winrate\WinRate.exe, 2228, Delete-on-Reboot, [ecf7a2acf4a689adfb20f0e91be9bc44] PUP.Optional.WinRate, C:\Program Files (x86)\winrate\WinRate_.exe, 3980, Delete-on-Reboot, [1dc6e06e6a303cfa100bca0f17ed49b7] PUP.Optional.WinRate, C:\Program Files (x86)\winrate\WinRate_.exe, 3704, Delete-on-Reboot, [1dc6e06e6a303cfa100bca0f17ed49b7] PUP.Optional.WinRate, C:\Program Files (x86)\winrate\WinRate_.exe, 2956, Delete-on-Reboot, [1dc6e06e6a303cfa100bca0f17ed49b7] PUP.Optional.WinRate, C:\Program Files (x86)\winrate\WinRate_.exe, 4036, Delete-on-Reboot, [1dc6e06e6a303cfa100bca0f17ed49b7] PUP.Optional.WinRate, C:\Program Files (x86)\winrate\WinRate_.exe, 3880, Delete-on-Reboot, [1dc6e06e6a303cfa100bca0f17ed49b7] Modules: 36 PUP.Optional.WinRate, C:\Program Files (x86)\winrate\libcef.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\libcef.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\libcef.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\libcef.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\libcef.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\libcef.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\libcef.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\libcurl.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\libcurl.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\libcurl.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\libcurl.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\libcurl.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\libcurl.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\libcurl.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\libcurl.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\log4cplusU.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\log4cplusU.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\log4cplusU.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\log4cplusU.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\log4cplusU.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\log4cplusU.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\log4cplusU.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\msvcp120.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\msvcp120.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\msvcp120.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\msvcp120.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\msvcp120.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\msvcp120.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\msvcp120.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\msvcr120.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\msvcr120.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\msvcr120.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\msvcr120.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\msvcr120.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\msvcr120.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\msvcr120.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], Registry Keys: 5 PUP.Optional.WinRate, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WinRateSvc, Quarantined, [509367e7a0fa00360c0f7a5f40c4619f], PUP.Optional.WinRate, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WinRateSvc2, Quarantined, [cf14014d3565cc6aa378499073916799], PUP.Optional.WinRate, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Window Rates Manager, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, HKLM\SOFTWARE\okwinrate, Quarantined, [c320133bfc9e43f30a168a4f51b34fb1], PUP.Optional.WinRate, HKLM\SOFTWARE\WOW6432NODE\okwinrate, Quarantined, [52919bb35a40bb7b65bb499059abd12f], Registry Values: 3 PUP.Optional.WinRate, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WINDOW RATES MANAGER|Publisher, Juston LLC, Quarantined, [558ec08efaa037ffd24dac2dbf4529d7] PUP.Optional.WinRate, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WINRATESVC|DisplayName, Window Rates Manager, Quarantined, [a53e36180397ce68bf6210c908fcff01] PUP.Optional.WinRate, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WINRATESVC2|DisplayName, Window Rates Manager2, Quarantined, [c0233e10128852e43be7b326897b08f8] Registry Data: 0 (No malicious items detected) Folders: 12 PUP.Optional.WinRate, C:\Program Files (x86)\winrate, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\databases, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\databases\http_www.lampen24.nl_0, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\GPUCache, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\databases, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\databases\https_www.unibet.eu_0, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\GPUCache, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\plugins, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\Update, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], Files: 185 PUP.Optional.WinRate, C:\Program Files (x86)\winrate\WinRateSync.exe, Delete-on-Reboot, [509367e7a0fa00360c0f7a5f40c4619f], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\WinRateSync_.exe, Delete-on-Reboot, [cf14014d3565cc6aa378499073916799], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\WinRate.exe, Delete-on-Reboot, [ecf7a2acf4a689adfb20f0e91be9bc44], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\WinRate_.exe, Quarantined, [1dc6e06e6a303cfa100bca0f17ed49b7], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\winratetask.exe, Quarantined, [8e557cd244569d99a575459431d318e8], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\winratetask_.exe, Delete-on-Reboot, [647f98b6603acc6ae139f2e7d33122de], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\snapshot_blob.bin, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\libGLESv2.dll, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cef.pak, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cef_100_percent.pak, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cef_200_percent.pak, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cef_extensions.pak, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\d3dcompiler_43.dll, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\d3dcompiler_47.dll, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\devtools_resources.pak, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\icudtl.dat, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\libcef.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\libcurl.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\libEGL.dll, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\log4cplusU.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\msvcp120.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\msvcr120.dll, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\natives_blob.bin, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\release.log, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\Uninstall.exe, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\widevinecdmadapter.dll, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\wow_helper.exe, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\f_00000b, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\Cookies, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\Cookies-journal, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\data_0, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\data_1, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\data_2, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\data_3, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\f_000001, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\f_000002, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\f_000003, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\f_000004, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\f_000005, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\f_000006, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\f_000007, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\f_000008, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\f_000009, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\f_00000a, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\f_00000c, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\f_00000d, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\f_00000e, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\f_00000f, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\f_000010, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\f_000011, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\f_000012, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\f_000013, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\f_000014, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\f_000015, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\f_000016, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\f_000017, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\f_000018, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\f_000019, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\f_00001a, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\f_00001b, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\f_00001c, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\index, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\QuotaManager, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\QuotaManager-journal, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\Visited Links, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\databases\Databases.db, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\databases\Databases.db-journal, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\databases\http_www.lampen24.nl_0\1, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\GPUCache\data_0, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\GPUCache\data_1, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\GPUCache\data_2, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\GPUCache\data_3, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache\GPUCache\index, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_00000b, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\Cookies, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\Cookies-journal, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\data_0, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\data_1, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\data_2, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\data_3, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_000001, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_000002, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_000003, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_000004, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_000005, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_000006, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_000007, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_000008, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_000009, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_00000a, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_00000c, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_00000d, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_00000e, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_00000f, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_000010, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_000011, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_000012, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_000013, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_000014, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_000015, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_000016, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_000017, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_000018, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_000019, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_00001a, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_00001b, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_00001c, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_00001d, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_00001e, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_00001f, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_000020, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_000021, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_000022, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_000023, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_000024, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_000025, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_000026, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_000027, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\f_000028, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\index, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\QuotaManager, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\QuotaManager-journal, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\Visited Links, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\databases\Databases.db, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\databases\Databases.db-journal, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\databases\https_www.unibet.eu_0\1, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\GPUCache\data_0, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\GPUCache\data_1, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\GPUCache\data_2, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\GPUCache\data_3, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\cache1\GPUCache\index, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\hi.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\am.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\ar.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\bg.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\bn.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\ca.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\cs.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\da.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\de.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\el.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\en-GB.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\en-US.pak, Delete-on-Reboot, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\es-419.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\es.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\et.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\fa.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\fi.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\fil.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\fr.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\gu.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\he.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\hr.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\hu.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\id.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\it.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\ja.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\kn.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\ko.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\lt.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\lv.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\ml.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\mr.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\ms.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\nb.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\nl.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\pl.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\pt-BR.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\pt-PT.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\ro.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\ru.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\sk.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\sl.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\sr.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\sv.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\sw.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\ta.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\te.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\th.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\tr.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\uk.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\vi.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\zh-CN.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\locales\zh-TW.pak, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], PUP.Optional.WinRate, C:\Program Files (x86)\winrate\plugins\pepflashplayer.dll, Quarantined, [a93a0648c4d6d165f62230a9e51f9967], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  4. What is EveryDayManuals? The Malwarebytes research team has determined that EveryDayManuals is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This one also displays advertisements. EveryDayManuals is a Mindspark/Ask toolbar now known as IAC Applications. How do I know if my computer is affected by EveryDayManuals? You may see these browser extensions/add-ons: You may see this entry in your list of installed software: these warnings during install: and this icon on your desktop: and this new startpage: How did EveryDayManuals get on my computer? Browser hijackers use different methods for distributing themselves. This particular one is offered as a lookup utility for manuals. How do I remove EveryDayManuals? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program. You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of EveryDayManuals? If you are using Chrome, you may have to remove the Extension manually under Tools > Settings > Extensions. Remove the checkmark and click on the bin behind the EveryDayManuals entry. If you are using Chrome or Firefox, you should be redirected to our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the EveryDayManuals hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/everydaymanuals/ttab02/index.html?n=C044C2E&p2={p21}&ptb={ptb1} FF Homepage: hxxp://hp.myway.com/everydaymanuals/ttab02/index.html?coId={coId2}&subId&ln=en&n=782af984&ptb={ptb2}&st=tab&p2={p21}&si FF Extension: EverydayManuals - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_hfMembers_@free.everydaymanuals.com [2016-08-23] CHR Extension: (EverydayManuals) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genajjnkfigihcnhlccdmhnbheniknmm [2016-08-23] C:\Users\{username}\AppData\Local\EverydayManualsTooltab EverydayManuals Internet Explorer Homepage and New Tab (HKCU\...\EverydayManualsTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network) <==== ATTENTION An excerpt from the Malwarebytes Anti-Malware scan log: (full log available on request) Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 8/23/2016 Scan Time: 8:53 AM Logfile: mbamEveryDayManuals.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.08.23.03 Rootkit Database: v2016.08.15.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 318597 Time Elapsed: 10 min, 3 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 1 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\EverydayManualsTooltab\TooltabExtension.dll, Delete-on-Reboot, [502f67e7a0fa00360c537a1d40c4619f], Registry Keys: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\EverydayManualsTooltab Uninstall Internet Explorer, Quarantined, [502f67e7a0fa00360c537a1d40c4619f], Registry Values: 0 (No malicious items detected) Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, http://hp.myway.com/everydaymanuals/ttab02/index.html?n=C044C2E&p2=Bad: (http://hp.myway.com/everydaymanuals/ttab02/index.html?n=C044C2E&p2={p21}&ptb={ptb1}),Replaced,[2d528bc3d3c7082e4351740533d1a25e]ECG8Bad: (http://hp.myway.com/everydaymanuals/ttab02/index.html?n=C044C2E&p2={p21}&ptb={ptb1}),Replaced,[2d528bc3d3c7082e4351740533d1a25e]EorgyyyBad: (http://hp.myway.com/everydaymanuals/ttab02/index.html?n=C044C2E&p2={p21}&ptb={ptb1}),Replaced,[2d528bc3d3c7082e4351740533d1a25e]ETTAB02Bad: (http://hp.myway.com/everydaymanuals/ttab02/index.html?n=C044C2E&p2={p21}&ptb={ptb1}),Replaced,[2d528bc3d3c7082e4351740533d1a25e]Enl&ptb={ptb1}, Good: (www.google.com), Bad: (http://hp.myway.com/everydaymanuals/ttab02/index.html?n=C044C2E&p2={p21}&ptb={ptb1}),Replaced,[2d528bc3d3c7082e4351740533d1a25e] Folders: 89 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\EverydayManuals_hf, Quarantined, [f689ff4ff5a5e5513ad8e1c9877c5aa6], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genajjnkfigihcnhlccdmhnbheniknmm\12.41.9.25418_0, Quarantined, [b0cf59f5c2d8ef472a52a0fa23e139c7], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genajjnkfigihcnhlccdmhnbheniknmm, Quarantined, [b0cf59f5c2d8ef472a52a0fa23e139c7], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions\_hfMembers_@free.everydaymanuals.com, Quarantined, [720d5af4861451e52ec3ecaf41c303fd], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions\_hfMembers_@free.everydaymanuals.com\chrome, Quarantined, [720d5af4861451e52ec3ecaf41c303fd], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions\_hfMembers_@free.everydaymanuals.com\META-INF, Quarantined, [720d5af4861451e52ec3ecaf41c303fd], Files: 252 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\EverydayManualsTooltab\TooltabExtension.dll, Delete-on-Reboot, [502f67e7a0fa00360c537a1d40c4619f], PUP.Optional.MindSpark, C:\Users\{username}\Desktop\EverydayManuals.ae4b700a5b264516843e2f618fb084e5.exe, Quarantined, [cfb0014d3565cc6aa3bc494e73916799], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\EverydayManuals_hf\{ptb2}.sqlite, Quarantined, [f689ff4ff5a5e5513ad8e1c9877c5aa6], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_everydaymanuals.dl.myway.com_0.localstorage, Quarantined, [2857331b762447efcf46d3d7a162ad53], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_everydaymanuals.dl.myway.com_0.localstorage-journal, Quarantined, [4c332e20dfbbd75f5abbaffb857ecf31], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_everydaymanuals.dl.tb.ask.com_0.localstorage, Quarantined, [bec12c225e3c1d194accb4f69271d22e], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_everydaymanuals.dl.tb.ask.com_0.localstorage-journal, Quarantined, [1a65b09e8317c76fcd493b6f73900df3], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genajjnkfigihcnhlccdmhnbheniknmm\12.41.9.25418_0\manifest.json, Quarantined, [b0cf59f5c2d8ef472a52a0fa23e139c7], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\genajjnkfigihcnhlccdmhnbheniknmm\12.41.9.25418_0\_metadata\verified_contents.json, Quarantined, [b0cf59f5c2d8ef472a52a0fa23e139c7], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions\_hfMembers_@free.everydaymanuals.com\install.rdf, Quarantined, [720d5af4861451e52ec3ecaf41c303fd], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions\_hfMembers_@free.everydaymanuals.com\bootstrap.js, Quarantined, [720d5af4861451e52ec3ecaf41c303fd], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions\_hfMembers_@free.everydaymanuals.com\chrome.manifest, Quarantined, [720d5af4861451e52ec3ecaf41c303fd], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions\_hfMembers_@free.everydaymanuals.com\chrome.manifest.restartless, Quarantined, [720d5af4861451e52ec3ecaf41c303fd], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions\_hfMembers_@free.everydaymanuals.com\chrome\ffxtbr.jar, Quarantined, [720d5af4861451e52ec3ecaf41c303fd], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions\_hfMembers_@free.everydaymanuals.com\META-INF\manifest.mf, Quarantined, [720d5af4861451e52ec3ecaf41c303fd], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions\_hfMembers_@free.everydaymanuals.com\META-INF\mozilla.rsa, Quarantined, [720d5af4861451e52ec3ecaf41c303fd], PUP.Optional.MindSpark, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions\_hfMembers_@free.everydaymanuals.com\META-INF\mozilla.sf, Quarantined, [720d5af4861451e52ec3ecaf41c303fd], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  5. What is MySafeSavings? The Malwarebytes research team has determined that MySafeSavings is adware. These adware applications display advertisements not originating from the sites you are browsing. How do I know if my computer is affected by MySafeSavings? You may see this type of warning during install: and this entry in your list of installed programs: How did MySafeSavings get on my computer? Adware applications use different methods for distributing themselves. This particular one was bundled with other software. How do I remove MySafeSavings? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of MySafeSavings? No, Malwarebytes' Anti-Malware removes MySafeSavings completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the MySafeSavings adware. It would have warned you before the adware could install itself, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: () C:\ProgramData\Microsoft\WindowsLogger\winlogger.exe () C:\Program Files (x86)\SafeSavings\mysafesavings.exe R2 lggr; C:\ProgramData\Microsoft\WindowsLogger\winlogger.exe [25088 2016-08-17] () [File not signed] C:\ProgramData\SafeSavings C:\Program Files (x86)\SafeSavings MySafeSavings (HKLM-x32\...\MySafeSavings) (Version: 1.0.2.2 - ) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\SafeSavings Adds the file mysafesavings.exe"="8/17/2016 4:31 PM, 578048 bytes, A Adds the folder C:\ProgramData\Microsoft\WindowsLogger Adds the file winlogger.exe"="8/17/2016 4:31 PM, 25088 bytes, A Adds the folder C:\ProgramData\SafeSavings Adds the file backup.dat"="8/17/2016 4:31 PM, 578048 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MySafeSavings] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\SafeSavings\MySafeSavings.exe" "DisplayName"="REG_SZ", "MySafeSavings" "DisplayVersion"="REG_SZ", "1.0.2.2" "EstimatedSize"="REG_DWORD", 564 "Publisher"="REG_SZ", "" "UninstallString"="REG_SZ", "explorer.exe http://uninstall.mysafesavings.com" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MySafeSavings] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\lggr] "Description"="REG_SZ", "Windows unexpected exceptions logger." "DisplayName"="REG_SZ", "Windows Logger" "ErrorControl"="REG_DWORD", 1 "FailureActions"="REG_BINARY, ............d...d...d. "ImagePath"="REG_EXPAND_SZ, "C:\ProgramData\Microsoft\WindowsLogger\winlogger.exe -runcmd" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 "WOW64"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\lggr\Security] "Security"="REG_BINARY, ........0................p...."......................... ................................... [HKEY_CURRENT_USER\Software\MySafeSavings] "id"="REG_SZ", "713792512348164" Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 8/22/2016 Scan Time: 12:32 PM Logfile: mbamMySafeSavings.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.08.22.03 Rootkit Database: v2016.08.15.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 318711 Time Elapsed: 9 min, 21 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 2 PUP.Optional.MySafeSavings, C:\ProgramData\Microsoft\WindowsLogger\winlogger.exe, 3000, Delete-on-Reboot, [9d7e044a2e6cc175a2d3cb0552b229d7] PUP.Optional.MySafeSavings, C:\Program Files (x86)\SafeSavings\mysafesavings.exe, 3484, Delete-on-Reboot, [59c2b896f4a62a0c5a995d6b43bf857b] Modules: 0 (No malicious items detected) Registry Keys: 2 PUP.Optional.MySafeSavings, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\lggr, Quarantined, [9d7e044a2e6cc175a2d3cb0552b229d7], PUP.Optional.MySafeSavings, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\MySafeSavings, Quarantined, [fc1f1836405a54e27add47ab9a69c33d], Registry Values: 1 PUP.Optional.MySafeSavings, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\lggr|ImagePath, C:\ProgramData\Microsoft\WindowsLogger\winlogger.exe -runcmd, Quarantined, [7aa1014d980296a00f67e5ebbb49c838] Registry Data: 0 (No malicious items detected) Folders: 2 PUP.Optional.MySafeSavings, C:\ProgramData\Microsoft\WindowsLogger, Delete-on-Reboot, [9d7e044a2e6cc175a2d3cb0552b229d7], PUP.Optional.MySafeSavings, C:\Program Files (x86)\SafeSavings, Delete-on-Reboot, [59c2b896f4a62a0c5a995d6b43bf857b], Files: 2 PUP.Optional.MySafeSavings, C:\ProgramData\Microsoft\WindowsLogger\winlogger.exe, Delete-on-Reboot, [9d7e044a2e6cc175a2d3cb0552b229d7], PUP.Optional.MySafeSavings, C:\Program Files (x86)\SafeSavings\mysafesavings.exe, Delete-on-Reboot, [59c2b896f4a62a0c5a995d6b43bf857b], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  6. What is BestOffer? The Malwarebytes research team has determined that BestOffer is adware. The installer displays advertisements not originating from the sites you are browsing and drops links to advertisements on your desktop. How do I know if my computer is affected by BestOffer? You may see these warnings during install: this entry in your list of installed programs: and these icons on your desktop and in your taskbar: How did BestOffer get on my computer? Adware applications use different methods for distributing themselves. This particular one was bundled with a downloadmanager. How do I remove BestOffer? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of BestOffer? No, Malwarebytes' Anti-Malware removes BestOffer completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the BestOffer adware. It would have warned you before the adware could install itself, giving you a chance to stop it before it became too late. The web protection module also blocks some of the connections the installer tries to make: Technical details for experts Possible signs in FRST logs: C:\Users\{username}\Desktop\iStripper.lnk C:\Users\{username}\Desktop\BestOffer EveryDay.lnk Internet Download Manager (HKLM-x32\...\Internet Download Manager) (Version: - Tonec Inc.) Shortcut: C:\Users\{username}\Desktop\BestOffer EveryDay.lnk -> C:\Program Files (x86)\Opera\BestOffer.url () Shortcut: C:\Users\{username}\Desktop\Internet Download Manager.lnk -> C:\Program Files (x86)\Internet Download Manager\IDMan.exe (Tonec Inc.) Shortcut: C:\Users\{username}\Desktop\iStripper.lnk -> C:\Program Files (x86)\Opera\iStripper.url () Relevant alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- In the existing folder C:\Program Files (x86)\Opera Adds the file BestOffer.url"="6/29/2016 3:18 PM, 195 bytes, A Adds the file iStripper.url"="6/10/2016 7:46 PM, 193 bytes, A Adds the file Offer.url"="6/25/2016 7:40 AM, 192 bytes, A Adds the file Offer2.url"="6/29/2016 3:17 PM, 195 bytes, A Adds the folder C:\Program Files (x86)\Opera\pic Adds the file idman625build21.exe"="6/13/2016 1:21 PM, 6851184 bytes, A Adds the file istripper.ico"="6/10/2016 7:20 PM, 122192 bytes, A Adds the file offer.ico"="2/16/2016 4:52 AM, 353118 bytes, A In the existing folder C:\Users\{username}\Desktop Adds the file BestOffer EveryDay.lnk"="8/18/2016 3:08 PM, 1067 bytes, A Adds the file Internet Download Manager.lnk"="8/18/2016 3:09 PM, 1009 bytes, A Adds the file iStripper.lnk"="8/18/2016 3:08 PM, 1075 bytes, A In the existing folder C:\Users\{username}\Downloads Adds the file idman625build21.exe"="8/18/2016 1:54 PM, 7586688 bytes, A Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 8/18/2016 Scan Time: 3:50 PM Logfile: mbamIDM.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.08.18.04 Rootkit Database: v2016.08.15.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 318481 Time Elapsed: 7 min, 33 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 5 PUP.Optional.Downloader, C:\Users\{username}\Downloads\idman625build21.exe, Quarantined, [0488cc80f5a50d295910973c07fdad53], PUP.Optional.BestOffer, C:\Users\{username}\Desktop\BestOffer EveryDay.lnk, Quarantined, [216b5bf14654c67017fbe5cbe61e4bb5], PUP.Optional.BestOffer, C:\Program Files (x86)\Opera\BestOffer.url, Quarantined, [4a42420ab1e988ae56a2941dcf350ef2], PUP.Optional.BestOffer, C:\Program Files (x86)\Opera\Offer.url, Quarantined, [98f4cd7fdebc47ef47b32e83679df50b], PUP.Optional.BestOffer, C:\Program Files (x86)\Opera\Offer2.url, Quarantined, [721aa3a9e2b8ad89c5393b76877d01ff], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  7. What is FindMeSavings? The Malwarebytes research team has determined that FindMeSavings is adware. These adware applications display advertisements not originating from the sites you are browsing. How do I know if my computer is affected by FindMeSavings? You may see this Scheduled Task: How did FindMeSavings get on my computer? Adware applications use different methods for distributing themselves. This particular one was bundled with other software. How do I remove FindMeSavings? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of FindMeSavings? No, Malwarebytes' Anti-Malware removes FindMeSavings completely. This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the FindMeSavings adware. It would have warned you before the adware could install itself, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: C:\Windows\System32\Tasks\rundll C:\Windows\Tasks\rundll.job C:\ProgramData\FindMeSavings Task: {D8CD4FA2-2B77-4A96-80C9-86510F8C596C} - System32\Tasks\rundll => Rundll32.exe "C:\ProgramData\FindMeSavings\FindMeSavings.dll",tnk Task: C:\Windows\Tasks\rundll.job => C:\Windows\system32\rundll32.exe5C:\ProgramData\FindMeSavings\FindMeSavings.dll Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\ProgramData\FindMeSavings Adds the file 169.tmp"="8/18/2016 9:15 AM, 56 bytes, A Adds the file FindMeSavings.dll"="3/24/2014 4:42 AM, 2671616 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file rundll"="8/18/2016 9:15 AM, 13218 bytes, A In the existing folder C:\Windows\Tasks Adds the file rundll.job"="8/18/2016 9:15 AM, 1486 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\MGT] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures] "rundll.job"="REG_BINARY, ................................ "rundll.job.fp"="REG_DWORD", 1897806838 Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 8/18/2016 Scan Time: 10:52 AM Logfile: mbamFindMeSavings.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.08.18.02 Rootkit Database: v2016.08.15.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 318134 Time Elapsed: 8 min, 43 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 2 PUP.Optional.Bonanza, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{E0E96F25-520D-499B-B87D-5A8B5B2DA8F3}, Delete-on-Reboot, [9dedd17bd7c3dd594b8f748749baea16], PUP.Optional.Bonanza, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\rundll, Delete-on-Reboot, [187282ca782268ce36a5a853d52ee61a], Registry Values: 1 PUP.Optional.Bonanza, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{E0E96F25-520D-499B-B87D-5A8B5B2DA8F3}|Path, \rundll, Delete-on-Reboot, [9dedd17bd7c3dd594b8f748749baea16] Registry Data: 0 (No malicious items detected) Folders: 1 PUP.Optional.FindMeSavings, C:\ProgramData\FindMeSavings, Quarantined, [078360ecacee7db9d942c907758fae52], Files: 4 PUP.Optional.Bonanza, C:\Windows\System32\Tasks\rundll, Quarantined, [7d0dd6766a30c67036a2bb40669d2fd1], PUP.Optional.Bonanza, C:\Windows\Tasks\rundll.job, Quarantined, [93f74507f7a37fb7d70299625da6ef11], PUP.Optional.FindMeSavings, C:\ProgramData\FindMeSavings\169.tmp, Quarantined, [078360ecacee7db9d942c907758fae52], PUP.Optional.FindMeSavings, C:\ProgramData\FindMeSavings\FindMeSavings.dll, Quarantined, [078360ecacee7db9d942c907758fae52], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  8. What is HPRewriter2? The Malwarebytes research team has determined that HPRewriter2 is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This one replaces many browser shortcuts and shows advertisements. How do I know if my computer is affected by HPRewriter2? You may see this entry in your list of installed software: and these shortcuts on your desktop, your startmenu, and your taskbar: and you will see this startpage: How did HPRewriter2 get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was installed by a trojan. How do I remove HPRewriter2? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of HPRewriter2? No, Malwarebytes' Anti-Malware removes HPRewriter2 completely. The hijacker alters the shortcuts for Chrome, Opera, Internet Explorer, Yandex, and FireFox. here you can read how to create new, clean shortcuts. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the HPRewriter2 hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: (PSEJHI coidt) C:\Users\{username}\AppData\Roaming\HPRewriter2\HPWriterSrv3.exe R2 HPWriter Service; C:\Users\{username}\AppData\Roaming\HPRewriter2\HPWriterSrv3.exe [1047040 2016-08-16] (PSEJHI coidt) [File not signed] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\??zill? Fir?f??.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\G??gl? ?hr?m?.lnk C:\Users\MBAM\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rn?t ???l?r?r.lnk C:\Users\Public\Desktop\??zill? Fir?f??.lnk C:\Users\Public\Desktop\G??gl? ?hr?m?.lnk C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rn?t ???l?r?r.lnk C:\Users\{username}\AppData\Roaming\HPRewriter2 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk C:\Users\Public\Desktop\Google Chrome.lnk HPRewriter2 (HKLM-x32\...\HPRewriter2) (Version: - ) Shortcut: C:\Users\MBAM\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rn?t ???l?r?r.lnk -> C:\Users\MBAM\AppData\Roaming\HPRewriter2\RewRun3.exe (No File) Shortcut: C:\Users\MBAM\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Int?rn?t ???l?r?r (N? ?dd-?ns).lnk -> C:\Users\MBAM\AppData\Roaming\HPRewriter2\RewRun3.exe (No File) Shortcut: C:\Users\MBAM\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\G??gl? ?hr?m?.lnk -> C:\Users\MBAM\AppData\Roaming\HPRewriter2\RewRun3.exe (No File) Shortcut: C:\Users\MBAM\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Int?rn?t ???l?r?r.lnk -> C:\Users\MBAM\AppData\Roaming\HPRewriter2\RewRun3.exe (No File) Shortcut: C:\Users\MBAM\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\??zill? Fir?f??.lnk -> C:\Users\MBAM\AppData\Roaming\HPRewriter2\RewRun3.exe (No File) ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\G??gl? ?hr?m?.lnk -> C:\Users\{username}\AppData\Roaming\HPRewriter2\RewRun3.exe (hxaynup) -> 1 0 ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\??zill? Fir?f??.lnk -> C:\Users\{username}\AppData\Roaming\HPRewriter2\RewRun3.exe (hxaynup) -> 2 0 ShortcutWithArgument: C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rn?t ???l?r?r.lnk -> C:\Users\{username}\AppData\Roaming\HPRewriter2\RewRun3.exe (hxaynup) -> 3 0 ShortcutWithArgument: C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Int?rn?t ???l?r?r (N? ?dd-?ns).lnk -> C:\Users\{username}\AppData\Roaming\HPRewriter2\RewRun3.exe (hxaynup) -> 3 0 ShortcutWithArgument: C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Ease of Access.lnk -> C:\Windows\System32\control.exe (Microsoft Corporation) -> /name Microsoft.EaseOfAccessCenter ShortcutWithArgument: C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\G??gl? ?hr?m?.lnk -> C:\Users\{username}\AppData\Roaming\HPRewriter2\RewRun3.exe (hxaynup) -> 1 0 ShortcutWithArgument: C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Int?rn?t ???l?r?r.lnk -> C:\Users\{username}\AppData\Roaming\HPRewriter2\RewRun3.exe (hxaynup) -> 3 0 ShortcutWithArgument: C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\??zill? Fir?f??.lnk -> C:\Users\{username}\AppData\Roaming\HPRewriter2\RewRun3.exe (hxaynup) -> 2 0 ShortcutWithArgument: C:\Users\Public\Desktop\G??gl? ?hr?m?.lnk -> C:\Users\{username}\AppData\Roaming\HPRewriter2\RewRun3.exe (hxaynup) -> 1 0 ShortcutWithArgument: C:\Users\Public\Desktop\??zill? Fir?f??.lnk -> C:\Users\{username}\AppData\Roaming\HPRewriter2\RewRun3.exe (hxaynup) -> 2 0 Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- In the existing folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs Deletes the file Google Chrome.lnk"="8/5/2016 10:51 AM, 2195 bytes, A Adds the file G??gl? ?hr?m?.lnk"="8/17/2016 8:38 AM, 2135 bytes, A Deletes the file Mozilla Firefox.lnk"="2/8/2016 1:27 PM, 1159 bytes, A Adds the file ??zill? Fir?f??.lnk"="8/17/2016 8:38 AM, 2137 bytes, A In the existing folder C:\Users\MBAM\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar Deletes the file Google Chrome.lnk"="2/8/2016 1:44 PM, 2284 bytes, A Adds the file G??gl? ?hr?m?.lnk"="8/17/2016 8:38 AM, 2313 bytes, A Deletes the file Internet Explorer.lnk"="2/8/2016 4:52 PM, 1419 bytes, A Adds the file Int?rn?t ???l?r?r.lnk"="8/17/2016 8:38 AM, 2417 bytes, A Deletes the file Mozilla Firefox.lnk"="2/8/2016 1:28 PM, 1159 bytes, A Adds the file ??zill? Fir?f??.lnk"="8/17/2016 8:38 AM, 2181 bytes, A In the existing folder C:\Users\MBAM\AppData\Roaming\Microsoft\Windows\Start Menu\Programs Deletes the file Internet Explorer.lnk"="2/8/2016 4:52 PM, 1413 bytes, A Adds the file Int?rn?t ???l?r?r.lnk"="8/17/2016 8:38 AM, 2127 bytes, A In the existing folder C:\Users\MBAM\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools Deletes the file Internet Explorer (No Add-ons).lnk"="2/8/2016 4:52 PM, 1463 bytes, A Adds the file Int?rn?t ???l?r?r (N? ?dd-?ns).lnk"="8/17/2016 8:38 AM, 2139 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\HPRewriter2 Adds the file HPWriterSrv3.exe"="8/16/2016 12:03 PM, 1047040 bytes, A Adds the file RewRun3.exe"="8/16/2016 12:06 PM, 949760 bytes, A Adds the file uninstaller.exe"="8/17/2016 8:38 AM, 221442 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\HPRewriter2\Resources\Icons\Browsers Adds the file chrome.ico"="8/5/2016 1:01 PM, 24957 bytes, A Adds the file firefox.ico"="8/5/2016 1:01 PM, 67901 bytes, A Adds the file ie.ico"="8/5/2016 1:01 PM, 52231 bytes, A Adds the file opera.ico"="8/5/2016 1:01 PM, 18329 bytes, A Adds the file yandex.ico"="8/5/2016 1:01 PM, 20036 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar Deletes the file Google Chrome.lnk"="3/3/2016 10:14 AM, 2393 bytes, A Adds the file G??gl? ?hr?m?.lnk"="8/17/2016 8:38 AM, 2243 bytes, A Deletes the file Internet Explorer.lnk"="2/10/2016 11:10 AM, 1413 bytes, A Adds the file Int?rn?t ???l?r?r.lnk"="8/17/2016 8:38 AM, 2347 bytes, A Deletes the file Mozilla Firefox.lnk"="6/20/2016 11:24 AM, 1159 bytes, A Adds the file ??zill? Fir?f??.lnk"="8/17/2016 8:38 AM, 2111 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs Deletes the file Internet Explorer.lnk"="2/10/2016 11:10 AM, 1413 bytes, A Adds the file Int?rn?t ???l?r?r.lnk"="8/17/2016 8:38 AM, 2057 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools Deletes the file Internet Explorer (No Add-ons).lnk"="2/10/2016 11:10 AM, 1463 bytes, A Adds the file Int?rn?t ???l?r?r (N? ?dd-?ns).lnk"="8/17/2016 8:38 AM, 2069 bytes, A In the existing folder C:\Users\Public\Desktop Deletes the file Google Chrome.lnk"="8/5/2016 10:51 AM, 2183 bytes, A Adds the file G??gl? ?hr?m?.lnk"="8/17/2016 8:38 AM, 2105 bytes, A Deletes the file Mozilla Firefox.lnk"="2/8/2016 1:27 PM, 1147 bytes, A Adds the file ??zill? Fir?f??.lnk"="8/17/2016 8:38 AM, 2107 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\HPRewriter] "cwykda"="REG_SZ", "eyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInVybCIgICAgICA6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImh0dHA6Ly9rcmF3YXphc2lyb2NsYS5ydSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICwgICAgICAgICAgICAgICAicmV3cml0ZV90aW1lb3V0X21pbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA1ICAgICAgICAgICB9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\HPRewriter\Components] "Main"="REG_SZ", "1" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\HPRewriter2] "DisplayName"="REG_SZ", "HPRewriter2" "UninstallString"="REG_SZ", "C:\Users\{username}\AppData\Roaming\HPRewriter2\uninstaller.exe" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HPWriter Service] "DisplayName"="REG_SZ", "HPWriter Service" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, "C:\Users\{username}\AppData\Roaming\HPRewriter2\HPWriterSrv3.exe" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 "WOW64"="REG_DWORD", 1 Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 8/17/2016 Scan Time: 8:52 AM Logfile: mbamHPRewriter2.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.08.17.04 Rootkit Database: v2016.08.15.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 318137 Time Elapsed: 9 min, 5 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 1 PUP.Optional.HPDefender.Generic, C:\Users\{username}\AppData\Roaming\HPRewriter2\HPWriterSrv3.exe, 3076, Delete-on-Reboot, [f92f26265c3efd390b81d1fb659f17e9] Modules: 0 (No malicious items detected) Registry Keys: 3 Trojan.Agent, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\HPRewriter2, Quarantined, [e741b399c5d5e35386d005ccca3af709], PUP.Optional.HPDefender.Generic, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\HPWriter Service, Quarantined, [f92f26265c3efd390b81d1fb659f17e9], PUP.Optional.HPDefender.Generic, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\HPRewriter2, Quarantined, [f92f26265c3efd390b81d1fb659f17e9], Registry Values: 1 PUP.Optional.HPDefender.Generic, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\HPWriter Service|ImagePath, C:\Users\{username}\AppData\Roaming\HPRewriter2\HPWriterSrv3.exe, Quarantined, [9593bd8f465473c3c3c6be0ef60eb54b] Registry Data: 0 (No malicious items detected) Folders: 4 PUP.Optional.HPDefender.Generic, C:\Users\{username}\AppData\Roaming\HPRewriter2, Delete-on-Reboot, [f92f26265c3efd390b81d1fb659f17e9], PUP.Optional.HPDefender.Generic, C:\Users\{username}\AppData\Roaming\HPRewriter2\Resources, Quarantined, [f92f26265c3efd390b81d1fb659f17e9], PUP.Optional.HPDefender.Generic, C:\Users\{username}\AppData\Roaming\HPRewriter2\Resources\Icons, Quarantined, [f92f26265c3efd390b81d1fb659f17e9], PUP.Optional.HPDefender.Generic, C:\Users\{username}\AppData\Roaming\HPRewriter2\Resources\Icons\Browsers, Quarantined, [f92f26265c3efd390b81d1fb659f17e9], Files: 11 Trojan.Agent, C:\Users\{username}\AppData\Roaming\HPRewriter2\RewRun3.exe, Delete-on-Reboot, [141499b30892b383a2bf05cc1de707f9], Trojan.Agent, C:\Users\{username}\AppData\Roaming\HPRewriter2\uninstaller.exe, Quarantined, [e741b399c5d5e35386d005ccca3af709], Trojan.Agent, C:\Users\{username}\Desktop\krawazasirocla.ru_World.exe, Quarantined, [b0784606aaf054e2ec6afbd6b35145bb], PUP.Optional.HPDefender.Generic, C:\Users\{username}\AppData\Roaming\HPRewriter2\HPWriterSrv3.exe, Delete-on-Reboot, [f92f26265c3efd390b81d1fb659f17e9], PUP.Optional.HPDefender.Generic, C:\Users\{username}\AppData\Roaming\HPRewriter2\RewRun3.exe, Delete-on-Reboot, [f92f26265c3efd390b81d1fb659f17e9], PUP.Optional.HPDefender.Generic, C:\Users\{username}\AppData\Roaming\HPRewriter2\uninstaller.exe, Quarantined, [f92f26265c3efd390b81d1fb659f17e9], PUP.Optional.HPDefender.Generic, C:\Users\{username}\AppData\Roaming\HPRewriter2\Resources\Icons\Browsers\chrome.ico, Quarantined, [f92f26265c3efd390b81d1fb659f17e9], PUP.Optional.HPDefender.Generic, C:\Users\{username}\AppData\Roaming\HPRewriter2\Resources\Icons\Browsers\firefox.ico, Quarantined, [f92f26265c3efd390b81d1fb659f17e9], PUP.Optional.HPDefender.Generic, C:\Users\{username}\AppData\Roaming\HPRewriter2\Resources\Icons\Browsers\ie.ico, Quarantined, [f92f26265c3efd390b81d1fb659f17e9], PUP.Optional.HPDefender.Generic, C:\Users\{username}\AppData\Roaming\HPRewriter2\Resources\Icons\Browsers\opera.ico, Quarantined, [f92f26265c3efd390b81d1fb659f17e9], PUP.Optional.HPDefender.Generic, C:\Users\{username}\AppData\Roaming\HPRewriter2\Resources\Icons\Browsers\yandex.ico, Quarantined, [f92f26265c3efd390b81d1fb659f17e9], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  9. What is PC Cleaner Pro? The Malwarebytes research team has determined that PC Cleaner Pro is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end. How do I know if my computer is affected by PC Cleaner Pro? You may see this warning during install: You may see this window that covers your whole screen: and these windows while trying to get out of the locked screen: How did PC Cleaner Pro get on my computer? Tech Support Scammers use different methods for distributing themselves. This particular one was offered as a PC cleanerb, but it also installs files that will produce a fake Windows Activation screen with the Tech Support Scammers number. How do I remove PC Cleaner Pro? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application. But due to the behaviour of the program you will have to reboot into Safe Mode with Networking first. Alternatively you can try to get out of the lockscreen by typing "closecloseclosecloseclose" in the main form and click on the "Activate" button. You will get a confirmation prompt. Close that prompt and you will be sent back to your desktop. There you may see the main screen of the PC Cleaner Pro part of the setup. But that will not stop you from downloading and running Malwarebytes Anti-Malware. After following either method continue with the instructions below. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Windows Games TSS? No, Malwarebytes' Anti-Malware removes Windows Games TSS completely. Is there anything else I need to do to get rid of PC Cleaner Pro? No, Malwarebytes' Anti-Malware removes PC Cleaner Pro completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Tech Supprt Scam. Technical details for experts You may see these entries in FRST logs: () C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\PC JUNKCLEANER.exe HKCU\...\Run: [PC JUNKCLEANER] => C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\PC JUNKCLEANER.exe [1636352 2016-08-07] () HKCU\...\Run: [POKEMONEGOGAMES] => C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\NewWindowActivation.exe [568320 2016-08-07] (Microsoft) C:\Users\{username}\Documents\PcjunkCleaner.xml C:\Program Files (x86)\A POKEMONGO Company (A POKEMONGO Company) C:\Users\{username}\Desktop\PCcleanerpro.exe PC Cleaner Pro (x32 Version: 1.0.0 - A POKEMONGO Company) Hidden Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro Adds the file ClearBrowserHistory.dll"="10/9/2015 8:53 PM, 89088 bytes, A Adds the file ClearClipboard.dll"="10/9/2015 8:37 PM, 40960 bytes, A Adds the file ClearRecycleBin.dll"="10/9/2015 8:38 PM, 83968 bytes, A Adds the file NewWindowActivation.exe"="8/7/2016 9:27 AM, 568320 bytes, A Adds the file PC JUNKCLEANER.exe"="8/7/2016 8:47 AM, 1636352 bytes, A Adds the file RunClearHistory.dll"="10/9/2015 8:39 PM, 43008 bytes, A Adds the folder C:\Windows\Installer\{68A9A36C-796C-406E-BF55-3F10D14A336F} Adds the file pokemonego.exe"="8/16/2016 8:29 AM, 370070 bytes, RA Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\C63A9A86C697E604FB55F3011DA433F6] "AdvertiseFlags"="REG_DWORD", 388 "Assignment"="REG_DWORD", 1 "AuthorizedLUAApp"="REG_DWORD", 0 "Clients"="REG_MULTI_SZ, ": " "DeploymentFlags"="REG_DWORD", 3 "InstanceType"="REG_DWORD", 0 "Language"="REG_DWORD", 1033 "PackageCode"="REG_SZ", "DDAA172B049366441A959D3FDCDABA6B" "ProductIcon"="REG_SZ", "C:\Windows\Installer\{68A9A36C-796C-406E-BF55-3F10D14A336F}\pokemonego.exe" "ProductName"="REG_SZ", "PC Cleaner Pro" "Version"="REG_DWORD", 16777216 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\C63A9A86C697E604FB55F3011DA433F6\SourceList] "LastUsedSource"="REG_EXPAND_SZ, "n;1;C:\Users\{username}\AppData\Roaming\A POKEMONGO Company\PC Cleaner Pro 1.0.0\install\14A336F\" "PackageName"="REG_SZ", "PokemoneGoGames.msi" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\C63A9A86C697E604FB55F3011DA433F6\SourceList\Media] "1"="REG_SZ", ";" "DiskPrompt"="REG_SZ", "[1]" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\C63A9A86C697E604FB55F3011DA433F6\SourceList\Net] "1"="REG_EXPAND_SZ, "C:\Users\{username}\AppData\Roaming\A POKEMONGO Company\PC Cleaner Pro 1.0.0\install\14A336F\" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0CC6001FF20744C46A8600498CDD92D9] "C63A9A86C697E604FB55F3011DA433F6"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders] "C:\Program Files (x86)\A POKEMONGO Company\"="REG_SZ", "" "C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\"="REG_SZ", "" "C:\Windows\Installer\{68A9A36C-796C-406E-BF55-3F10D14A336F}\"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\C63A9A86C697E604FB55F3011DA433F6\InstallProperties] "AuthorizedCDFPrefix"="REG_SZ", "" "Comments"="REG_SZ", "This installer database contains the logic and data required to install PC Cleaner Pro." "Contact"="REG_SZ", "" "DisplayName"="REG_SZ", "PC Cleaner Pro" "DisplayVersion"="REG_SZ", "1.0.0" "EstimatedSize"="REG_DWORD", 2392 "HelpLink"="REG_SZ", "" "HelpTelephone"="REG_SZ", "" "InstallDate"="REG_SZ", "20160816" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\" "InstallSource"="REG_SZ", "C:\Users\{username}\AppData\Roaming\A POKEMONGO Company\PC Cleaner Pro 1.0.0\install\14A336F\" "Language"="REG_DWORD", 1033 "LocalPackage"="REG_SZ", "C:\Windows\Installer\33aad2.msi" "NoModify"="REG_DWORD", 1 "NoRemove"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "A POKEMONGO Company" "Readme"="REG_SZ", "" "Size"="REG_SZ", "" "SystemComponent"="REG_DWORD", 1 "URLInfoAbout"="REG_SZ", "" "URLUpdateInfo"="REG_SZ", "" "Version"="REG_DWORD", 16777216 "VersionMajor"="REG_DWORD", 1 "VersionMinor"="REG_DWORD", 0 "WindowsInstaller"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\A POKEMONGO Company\PC Cleaner Pro] "Path"="REG_SZ", "C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\" "Version"="REG_SZ", "1.0.0" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Caphyon\Advanced Installer\LZMA\{68A9A36C-796C-406E-BF55-3F10D14A336F}\1.0.0] "AI_ExePath"="REG_SZ", "C:\Users\{username}\Desktop\PCcleanerpro.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{68A9A36C-796C-406E-BF55-3F10D14A336F}] "AuthorizedCDFPrefix"="REG_SZ", "" "Comments"="REG_SZ", "This installer database contains the logic and data required to install PC Cleaner Pro." "Contact"="REG_SZ", "" "DisplayName"="REG_SZ", "PC Cleaner Pro" "DisplayVersion"="REG_SZ", "1.0.0" "EstimatedSize"="REG_DWORD", 2392 "HelpLink"="REG_SZ", "" "HelpTelephone"="REG_SZ", "" "InstallDate"="REG_SZ", "20160816" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\" "InstallSource"="REG_SZ", "C:\Users\{username}\AppData\Roaming\A POKEMONGO Company\PC Cleaner Pro 1.0.0\install\14A336F\" "Language"="REG_DWORD", 1033 "NoModify"="REG_DWORD", 1 "NoRemove"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "A POKEMONGO Company" "Readme"="REG_SZ", "" "Size"="REG_SZ", "" "SystemComponent"="REG_DWORD", 1 "URLInfoAbout"="REG_SZ", "" "URLUpdateInfo"="REG_SZ", "" "Version"="REG_DWORD", 16777216 "VersionMajor"="REG_DWORD", 1 "VersionMinor"="REG_DWORD", 0 "WindowsInstaller"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PC JUNKCLEANER] "EXPDATE"="REG_SZ", "2016-08-26" "FIRSTDATE"="REG_SZ", "2016-08-16" "FIRSTTIME"="REG_SZ", "w" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "PC JUNKCLEANER"="REG_SZ", "C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\PC JUNKCLEANER.exe" "POKEMONEGOGAMES"="REG_SZ", "C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\NewWindowActivation.exe" Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 8/16/2016 Scan Time: 8:36 AM Logfile: mbamPCCleanerPro.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.08.16.04 Rootkit Database: v2016.08.15.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 317953 Time Elapsed: 8 min, 56 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 1 Rogue.TechSupportScam, C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\PC JUNKCLEANER.exe, 3640, Delete-on-Reboot, [f9cbc08bc6d412247b3c42875ca8d927] Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 2 Rogue.TechSupportScam, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|PC JUNKCLEANER, C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\PC JUNKCLEANER.exe, Quarantined, [f9cbc08bc6d412247b3c42875ca8d927] Rogue.TechSupportScam, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|POKEMONEGOGAMES, C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\NewWindowActivation.exe, Quarantined, [cdf7f15a62380f278e23f0d97292738d] Registry Data: 0 (No malicious items detected) Folders: 2 Rogue.TechSupportScam, C:\Program Files (x86)\A POKEMONGO Company, Delete-on-Reboot, [d3f1cb80c2d82115baf19732c044847c], Rogue.TechSupportScam, C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro, Delete-on-Reboot, [d3f1cb80c2d82115baf19732c044847c], Files: 8 Rogue.TechSupportScam, C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\PC JUNKCLEANER.exe, Delete-on-Reboot, [f9cbc08bc6d412247b3c42875ca8d927], Rogue.TechSupportScam, C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\NewWindowActivation.exe, Quarantined, [cdf7f15a62380f278e23f0d97292738d], Rogue.TechSupportScam, C:\Users\{username}\Desktop\PCcleanerpro.exe, Quarantined, [4381ba91cad0cb6b76346069996bd52b], Rogue.TechSupportScam, C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\ClearBrowserHistory.dll, Delete-on-Reboot, [d3f1cb80c2d82115baf19732c044847c], Rogue.TechSupportScam, C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\ClearClipboard.dll, Delete-on-Reboot, [d3f1cb80c2d82115baf19732c044847c], Rogue.TechSupportScam, C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\ClearRecycleBin.dll, Delete-on-Reboot, [d3f1cb80c2d82115baf19732c044847c], Rogue.TechSupportScam, C:\Program Files (x86)\A POKEMONGO Company\PC Cleaner Pro\RunClearHistory.dll, Delete-on-Reboot, [d3f1cb80c2d82115baf19732c044847c], Rogue.TechSupportScam, C:\Users\{username}\Documents\PcjunkCleaner.xml, Quarantined, [0db7df6ceab02d09357b339642c22fd1], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  10. What is HDWallPaper? The Malwarebytes research team has determined that HDWallPaper is adware. These adware applications display advertisements not originating from the sites you are browsing. How do I know if my computer is affected by HDWallPaper? You may see these warnings during install: this entry in your list of installed programs: this task in your Task Scheduler: and this icon on your desktop, your taskbar and in your startmenu: How did HDWallPaper get on my computer? Adware applications use different methods for distributing themselves. This particular one was bundled with other software. How do I remove HDWallPaper? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of HDWallPaper? No, Malwarebytes' Anti-Malware removes HDWallPaper completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the HDWallPaper adware. It would have warned you before the adware could install itself, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: (HDWallPaper) C:\Program Files (x86)\HDWallPaper\HDWallPaper.exe HKCU\...\Run: [HDWallPaper] => C:\Program Files (x86)\HDWallPaper\TaskSetter.exe [387496 2016-08-04] (HDWallPaper) C:\Users\{username}\AppData\Roaming\HDWallPaper C:\Windows\System32\Tasks\HDWallPaper C:\Users\Public\Desktop\HDWallPaper.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HDWallPaper C:\Program Files (x86)\HDWallPaper HDWallPaper 1.0 (HKLM-x32\...\HDWallPaper_is1) (Version: 1.0.0.65 - HDWallPaper) Task: {555B79ED-05C3-44B5-B2F8-780CF9B6F495} - System32\Tasks\HDWallPaper => C:\Program Files (x86)\HDWallPaper\HDWallPaper.exe [2016-08-04] (HDWallPaper) <==== ATTENTION Alterations made by the installer: Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HDWallPaper Adds the file HDWallPaper.lnk"="8/15/2016 8:19 AM, 1061 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\HDWallPaper Adds the file config.ini"="8/15/2016 8:20 AM, 134 bytes, A Adds the file history.ini"="8/15/2016 8:20 AM, 2 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\HDWallPaper\history Adds the folder C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper Adds the file ndArrInfo_0.ini"="8/15/2016 8:20 AM, 18936 bytes, A Adds the file ndArrInfo_1.ini"="8/15/2016 8:20 AM, 15578 bytes, A Adds the file ndArrInfo_2.ini"="8/15/2016 8:20 AM, 14826 bytes, A Adds the file ndArrInfo_3.ini"="8/15/2016 8:20 AM, 16520 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0 Adds the file 32656.png"="8/15/2016 8:20 AM, 37265 bytes, A Adds the file 32657.png"="8/15/2016 8:20 AM, 54181 bytes, A Adds the file 32658.png"="8/15/2016 8:20 AM, 53237 bytes, A Adds the file 32659.png"="8/15/2016 8:20 AM, 46065 bytes, A Adds the file 32660.png"="8/15/2016 8:20 AM, 28123 bytes, A Adds the file 32668.png"="8/15/2016 8:20 AM, 41061 bytes, A Adds the file 32677.png"="8/15/2016 8:20 AM, 47029 bytes, A Adds the file 32678.png"="8/15/2016 8:20 AM, 63129 bytes, A Adds the file 32691.png"="8/15/2016 8:20 AM, 49107 bytes, A Adds the file 32692.png"="8/15/2016 8:20 AM, 55151 bytes, A Adds the file 32694.png"="8/15/2016 8:20 AM, 49363 bytes, A Adds the file 32700.png"="8/15/2016 8:20 AM, 46097 bytes, A Adds the file 32701.png"="8/15/2016 8:20 AM, 50685 bytes, A Adds the file 32703.png"="8/15/2016 8:20 AM, 32522 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon1\0 Adds the file 32654.png"="8/15/2016 8:20 AM, 201328 bytes, A Adds the file 32655.png"="8/15/2016 8:20 AM, 184509 bytes, A Adds the file 32661.png"="8/15/2016 8:20 AM, 165976 bytes, A Adds the file 32702.png"="8/15/2016 8:20 AM, 213795 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file HDWallPaper.lnk"="8/15/2016 8:19 AM, 1043 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file HDWallPaper"="8/15/2016 8:19 AM, 3182 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\HDWallPaper_is1] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\HDWallPaper\HDWallPaper.exe" "DisplayName"="REG_SZ", "HDWallPaper 1.0" "DisplayVersion"="REG_SZ", "1.0.0.65" "EstimatedSize"="REG_DWORD", 8408 "HelpLink"="REG_SZ", "http://hd-wpaper.com/" "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\HDWallPaper" "Inno Setup: Deselected Tasks"="REG_SZ", "" "Inno Setup: Icon Group"="REG_SZ", "HDWallPaper" "Inno Setup: Language"="REG_SZ", "default" "Inno Setup: Selected Tasks"="REG_SZ", "desktopicon" "Inno Setup: Setup Version"="REG_SZ", "5.5.4 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20160815" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\HDWallPaper\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "HDWallPaper" "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\HDWallPaper\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\HDWallPaper\unins000.exe"" "URLInfoAbout"="REG_SZ", "http://hd-wpaper.com/" "URLUpdateInfo"="REG_SZ", "http://hd-wpaper.com/" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "HDWallPaper"="REG_SZ", ""C:\Program Files (x86)\HDWallPaper\TaskSetter.exe" /start" Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 8/15/2016 Scan Time: 8:45 AM Logfile: mbamHDWallpaper.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.08.15.01 Rootkit Database: v2016.08.09.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 317699 Time Elapsed: 8 min, 55 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 1 PUP.Optional.HDWallPaper, C:\Program Files (x86)\HDWallPaper\HDWallPaper.exe, 3160, Delete-on-Reboot, [b5a81437ebaf6cca04af319842c2bc44] Modules: 0 (No malicious items detected) Registry Keys: 2 PUP.Optional.HDWallPaper, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\HDWallPaper, Delete-on-Reboot, [f964a5a62f6b70c66717448552b29f61], PUP.Optional.HDWallPaper, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\HDWallPaper_is1, Quarantined, [fb62361592085cdaa4a17854b64ed32d], Registry Values: 1 PUP.Optional.HDWallPaper, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|HDWallPaper, "C:\Program Files (x86)\HDWallPaper\TaskSetter.exe" /start, Quarantined, [60fd4605465493a3e6cdb316f70d6e92] Registry Data: 0 (No malicious items detected) Folders: 16 PUP.Optional.HDWallPaper, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HDWallPaper, Quarantined, [76e7c7847228ab8b116885443fc5be42], PUP.Optional.HDWallPaper, C:\Program Files (x86)\HDWallPaper, Delete-on-Reboot, [df7e73d84a5070c6b0ca89408e764bb5], PUP.Optional.HDWallPaper, C:\Program Files (x86)\HDWallPaper\images, Quarantined, [df7e73d84a5070c6b0ca89408e764bb5], PUP.Optional.HDWallPaper, C:\Program Files (x86)\HDWallPaper\Language, Quarantined, [df7e73d84a5070c6b0ca89408e764bb5], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\history, Quarantined, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\BigIcon, Quarantined, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\BigIcon\0, Quarantined, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon1, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon1\0, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon2, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon2\0, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], Files: 80 PUP.Optional.HDWallPaper, C:\Program Files (x86)\HDWallPaper\HDWallPaper.exe, Delete-on-Reboot, [b5a81437ebaf6cca04af319842c2bc44], PUP.Optional.HDWallPaper, C:\Program Files (x86)\HDWallPaper\TaskSetter.exe, Quarantined, [60fd4605465493a3e6cdb316f70d6e92], PUP.Optional.HDWallPaper, C:\Users\{username}\Desktop\HDWallPaper-setup.exe, Quarantined, [88d5f853594154e206ad1faa9a6a44bc], PUP.Optional.HDWallPaper, C:\Windows\System32\Tasks\HDWallPaper, Quarantined, [3429202ba2f83ef8b7c69b2e5fa550b0], PUP.Optional.HDWallPaper, C:\Users\Public\Desktop\HDWallPaper.lnk, Quarantined, [1b429bb0bedc4cea98e89831fc08f20e], PUP.Optional.HDWallPaper, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HDWallPaper\HDWallPaper.lnk, Quarantined, [76e7c7847228ab8b116885443fc5be42], PUP.Optional.HDWallPaper, C:\Program Files (x86)\HDWallPaper\autoUpdate.exe, Quarantined, [df7e73d84a5070c6b0ca89408e764bb5], PUP.Optional.HDWallPaper, C:\Program Files (x86)\HDWallPaper\deInit.exe, Quarantined, [df7e73d84a5070c6b0ca89408e764bb5], PUP.Optional.HDWallPaper, C:\Program Files (x86)\HDWallPaper\HDInstaller.exe, Quarantined, [df7e73d84a5070c6b0ca89408e764bb5], PUP.Optional.HDWallPaper, C:\Program Files (x86)\HDWallPaper\promote.exe, Quarantined, [df7e73d84a5070c6b0ca89408e764bb5], PUP.Optional.HDWallPaper, C:\Program Files (x86)\HDWallPaper\unins000.dat, Quarantined, [df7e73d84a5070c6b0ca89408e764bb5], PUP.Optional.HDWallPaper, C:\Program Files (x86)\HDWallPaper\unins000.exe, Quarantined, [df7e73d84a5070c6b0ca89408e764bb5], PUP.Optional.HDWallPaper, C:\Program Files (x86)\HDWallPaper\images\title_chinese.png, Quarantined, [df7e73d84a5070c6b0ca89408e764bb5], PUP.Optional.HDWallPaper, C:\Program Files (x86)\HDWallPaper\images\title_english.png, Quarantined, [df7e73d84a5070c6b0ca89408e764bb5], PUP.Optional.HDWallPaper, C:\Program Files (x86)\HDWallPaper\Language\ChineseSimp.lng, Quarantined, [df7e73d84a5070c6b0ca89408e764bb5], PUP.Optional.HDWallPaper, C:\Program Files (x86)\HDWallPaper\Language\English.lng, Quarantined, [df7e73d84a5070c6b0ca89408e764bb5], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\config.ini, Quarantined, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\history.ini, Quarantined, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\history\0_26463.png, Quarantined, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\ndArrInfo_0.ini, Quarantined, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\ndArrInfo_1.ini, Quarantined, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\ndArrInfo_2.ini, Quarantined, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\ndArrInfo_3.ini, Quarantined, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\BigIcon\0\26463.jpg, Quarantined, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\32006.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\25871.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\25925.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\25945.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\25985.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\26242.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\26317.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\26337.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\26450.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\26722.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\27300.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\27372.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\31525.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\31884.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\31973.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\31998.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\31999.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\32001.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\32002.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\32003.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\32004.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\32005.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\32119.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\32123.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\32124.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\32142.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\32205.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\32235.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\32427.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\32652.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\32653.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\32656.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\32657.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\32658.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\32659.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\32660.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\32668.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\32677.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\32678.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\32691.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\32692.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\32694.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\32700.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\32701.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon\0\32703.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon1\0\25946.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon1\0\31997.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon1\0\32654.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon1\0\32655.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon1\0\32661.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon1\0\32702.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon2\0\25884.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon2\0\26463.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon2\0\32000.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon2\0\32115.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], PUP.Optional.HDWallPaper, C:\Users\{username}\AppData\Roaming\HDWallPaper\wallPaper\data\SmallIcon2\0\32514.png, Delete-on-Reboot, [65f8aba0237787afc7eafdcce61ea759], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  11. What is Youndoo-Elex? The Malwarebytes research team has determined that Youndoo-Elex is a browser hijacker. These so-called "hijackers" alter your startpage or searchscopes so that the effected browser visits their site or one of their choice. This one also displays advertisements. How do I know if my computer is affected by Youndoo-Elex? This is how the start- and search-page looks: And you may see this change in the properties of the shortcuts for Chrome and Firefox on your desktop: pointing to these batch files in the ProgramData folder: Note the strange Unicode characters in the filenames With a content similar to this: and this entry in your list of installed programs: The pinned shortcuts in the taskbar for Chrome and Firefox were rendered useless: How did Youndoo-Elex get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was bundled with other software. How do I remove Youndoo-Elex? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Youndoo-Elex? No, Malwarebytes' Anti-Malware removes Youndoo-Elex completely. The hijacker alters the shortcuts for Chrome and FireFox. here you can read how to create new, clean shortcuts. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Youndoo-Elex hijacker. It would have warned you before the rogue could install itself, giving you a chance to stop it before it became too late. Technical details for experts Signs in a FRST logs: (TODO: <Company name>) C:\Program Files (x86)\SoEasySvc\SoEasySvc.exe ShellIconOverlayIdentifiers: [MyOverlayIcon] -> {B41B3408-923F-4B8B-85F2-146C509FA18C} => C:\Program Files (x86)\Cokcultprasitain\Erwutionphutesy\Zohitain.dll [2016-08-12] () S3 Erwutionphutesy Update; C:\Program Files (x86)\Cokcultprasitain\Erwutionphutesy\ErwutionphutesyUpdatevrl.exe [291520 2016-08-12] () R2 SoEasySvc; C:\Program Files (x86)\SoEasySvc\SoEasySvc.exe [110776 2016-08-04] (TODO: <Company name>) C:\Program Files (x86)\SoEasySvc C:\Users\{username}\AppData\Local\Lutilyantersy C:\Program Files (x86)\Cokcultprasitain youndoo - Uninstall (HKLM-x32\...\{63A8C5F6-99CA-4244-A0FC-5856F62A293F}) (Version: - ) Shortcut: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\ProgramData\Google Chrome.lnk.bat () Shortcut: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> C:\ProgramData\Mozilla Firefox.lnk.bat () Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\Cokcultprasitain Adds the file Plgaghtatumusyhlp.dll"="8/12/2016 8:41 AM, 249344 bytes, A Adds the file SoEasy.exe"="8/12/2016 8:41 AM, 803472 bytes, A Adds the file SpyProDll.dll"="8/12/2016 8:41 AM, 134656 bytes, A Adds the file vovuther.exex5v"="8/12/2016 8:41 AM, 36 bytes, A Adds the folder C:\Program Files (x86)\Cokcultprasitain\Erwutionphutesy Adds the file ErwutionphutesyUpdatevrl.exe"="8/12/2016 8:41 AM, 291520 bytes, A Adds the file Zohitain.dll"="8/12/2016 8:41 AM, 139264 bytes, A In the existing folder C:\Program Files (x86)\Google\Chrome\Application Adds the file wtsapi32.dll"="8/12/2016 8:41 AM, 129024 bytes, A In the existing folder C:\Program Files (x86)\Mozilla Firefox Adds the file wtsapi32.dll"="8/12/2016 8:41 AM, 129024 bytes, A Adds the folder C:\Program Files (x86)\SoEasySvc Adds the file iCmnBase.dll"="8/4/2016 5:20 AM, 149688 bytes, A Adds the file msvcp110.dll"="11/5/2012 7:20 PM, 535008 bytes, A Adds the file msvcr110.dll"="11/5/2012 7:20 PM, 875472 bytes, A Adds the file SoEasySvc.exe"="8/4/2016 5:20 AM, 110776 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy Adds the file First Run"="2/10/2016 11:38 AM, 0 bytes, A Adds the file Local State"="8/12/2016 8:41 AM, 94855 bytes, A Adds the file Safe Browsing Bloom"="3/3/2016 10:12 AM, 7747876 bytes, A Adds the file Safe Browsing Bloom Prefix Set"="3/3/2016 10:12 AM, 1131836 bytes, A Adds the file Safe Browsing Channel IDs"="8/5/2016 10:51 AM, 5120 bytes, A Adds the file Safe Browsing Channel IDs-journal"="8/5/2016 10:51 AM, 0 bytes, A Adds the file Safe Browsing Cookies"="3/3/2016 10:14 AM, 7168 bytes, A Adds the file Safe Browsing Cookies-journal"="3/3/2016 10:14 AM, 0 bytes, A Adds the file Safe Browsing Csd Whitelist"="3/3/2016 10:12 AM, 126632 bytes, A Adds the file Safe Browsing Download"="3/3/2016 10:12 AM, 248256 bytes, A Adds the file Safe Browsing Download Whitelist"="3/3/2016 10:12 AM, 17008 bytes, A Adds the file Safe Browsing Extension Blacklist"="3/3/2016 10:12 AM, 58236 bytes, A Adds the file Safe Browsing IP Blacklist"="3/3/2016 10:12 AM, 160 bytes, A Adds the file Safe Browsing UwS List"="3/3/2016 10:12 AM, 1328884 bytes, A Adds the file Safe Browsing UwS List Prefix Set"="3/3/2016 10:12 AM, 311876 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\Caps Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\CertificateTransparency Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\data_reduction_proxy_leveldb Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\databases Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extension Rules Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extension State Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0 Adds the file icon_128.png"="2/10/2016 11:39 AM, 3372 bytes, A Adds the file icon_16.png"="2/10/2016 11:39 AM, 160 bytes, A Adds the file main.html"="2/3/2015 2:09 PM, 92 bytes, A Adds the file main.js"="2/3/2015 2:09 PM, 95 bytes, A Adds the file manifest.json"="2/10/2016 11:39 AM, 725 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0 Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0 Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0 Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.60_0 Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0 Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0 Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0 Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.1_0 Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5216.530.0.10_0 Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\IndexedDB\https_www.google.nl_0.indexeddb.leveldb Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\JumpListIcons Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\JumpListIconsOld Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Local Storage Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Service Worker\CacheStorage\ae6425408f2239a8c4458f791990c1e6dacbcee7 Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Service Worker\Database Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Service Worker\ScriptCache Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Service Worker\ScriptCache\index-dir Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Session Storage Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Storage\ext\chrome-signin\def Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Web Applications\_crx_aohghmighlieiainnegkcijnfilokake Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\Crashpad Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\Crashpad\reports Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\EVWhitelist Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\FileTypePolicies Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\OriginTrials Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\PepperFlash Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\pnacl Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\ShaderCache Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\SwiftShader Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\SwReporter Adds the folder C:\Users\{username}\AppData\Local\Lutilyantersy\WidevineCDM Adds the folder C:\Users\{username}\AppData\Roaming\Profiles\Viberk.default Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\b`nl{y] "day"="REG_SZ", "20160812" "upday"="REG_SZ", "20160812" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{B38A71EA-343E-4D69-8FD6-67A57A0AEF61}] "(Default)"="REG_SZ", "OverlayIcon" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\OverlayIcon.DLL] "AppID"="REG_SZ", "{B38A71EA-343E-4D69-8FD6-67A57A0AEF61}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B41B3408-923F-4B8B-85F2-146C509FA18C}] "(Default)"="REG_SZ", "MyOverlayIcon Class" "AppID"="REG_SZ", "{B38A71EA-343E-4D69-8FD6-67A57A0AEF61}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B41B3408-923F-4B8B-85F2-146C509FA18C}\InprocServer32] "(Default)"="REG_SZ", "C:\Program Files (x86)\Cokcultprasitain\Erwutionphutesy\Zohitain.dll" "ThreadingModel"="REG_SZ", "Apartment" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B41B3408-923F-4B8B-85F2-146C509FA18C}\ProgID] "(Default)"="REG_SZ", "OverlayIcon.MyOverlayIcon.1" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B41B3408-923F-4B8B-85F2-146C509FA18C}\Programmable] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B41B3408-923F-4B8B-85F2-146C509FA18C}\TypeLib] "(Default)"="REG_SZ", "{ADF1FA2A-6EAA-4A97-A55F-3C8B92843EF5}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B41B3408-923F-4B8B-85F2-146C509FA18C}\VersionIndependentProgID] "(Default)"="REG_SZ", "OverlayIcon.MyOverlayIcon" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7BCA6879-A9F8-47DE-AE05-F5CE7EA3A474}] "(Default)"="REG_SZ", "IMyOverlayIcon" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7BCA6879-A9F8-47DE-AE05-F5CE7EA3A474}\ProxyStubClsid32] "(Default)"="REG_SZ", "{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7BCA6879-A9F8-47DE-AE05-F5CE7EA3A474}\TypeLib] "(Default)"="REG_SZ", "{ADF1FA2A-6EAA-4A97-A55F-3C8B92843EF5}" "Version"="REG_SZ", "1.0" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OverlayIcon.MyOverlayIcon] "(Default)"="REG_SZ", "MyOverlayIcon Class" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OverlayIcon.MyOverlayIcon\CLSID] "(Default)"="REG_SZ", "{B41B3408-923F-4B8B-85F2-146C509FA18C}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OverlayIcon.MyOverlayIcon\CurVer] "(Default)"="REG_SZ", "OverlayIcon.MyOverlayIcon.1" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OverlayIcon.MyOverlayIcon.1] "(Default)"="REG_SZ", "MyOverlayIcon Class" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OverlayIcon.MyOverlayIcon.1\CLSID] "(Default)"="REG_SZ", "{B41B3408-923F-4B8B-85F2-146C509FA18C}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{ADF1FA2A-6EAA-4A97-A55F-3C8B92843EF5}\1.0] "(Default)"="REG_SZ", "OverlayIcon 1.0 Type Library" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{ADF1FA2A-6EAA-4A97-A55F-3C8B92843EF5}\1.0\0\win64] "(Default)"="REG_SZ", "C:\Program Files (x86)\Cokcultprasitain\Erwutionphutesy\Zohitain.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{ADF1FA2A-6EAA-4A97-A55F-3C8B92843EF5}\1.0\FLAGS] "(Default)"="REG_SZ", "0" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{ADF1FA2A-6EAA-4A97-A55F-3C8B92843EF5}\1.0\HELPDIR] "(Default)"="REG_SZ", "C:\Program Files (x86)\Cokcultprasitain\Erwutionphutesy" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7BCA6879-A9F8-47DE-AE05-F5CE7EA3A474}] "(Default)"="REG_SZ", "IMyOverlayIcon" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7BCA6879-A9F8-47DE-AE05-F5CE7EA3A474}\ProxyStubClsid32] "(Default)"="REG_SZ", "{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7BCA6879-A9F8-47DE-AE05-F5CE7EA3A474}\TypeLib] "(Default)"="REG_SZ", "{ADF1FA2A-6EAA-4A97-A55F-3C8B92843EF5}" "Version"="REG_SZ", "1.0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\MyOverlayIcon] "(Default)"="REG_SZ", "{B41B3408-923F-4B8B-85F2-146C509FA18C}" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\b`nl{y] "day"="REG_SZ", "20160812" "upday"="REG_SZ", "20160812" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\CB75DF05542D4707119BC449A5FA9A4A] "(Default)"="REG_SZ", "{EFD519A3-DC49-498A-8DD4-AD1DA8F97FCD}" "{EFD519A3-DC49-498A-8DD4-AD1DA8F97FCD}"="REG_BINARY, ..............................................................................................K............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................. [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{63A8C5F6-99CA-4244-A0FC-5856F62A293F}] "DisplayName"="REG_SZ", "youndoo - Uninstall" "UninstallString"="REG_SZ", "rundll32.exe "C:\Program Files (x86)\Cokcultprasitain\Plgaghtatumusyhlp.dll",DllUninstall "/k={63A8C5F6-99CA-4244-A0FC-5856F62A293F}"" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\youndooSoftware\youndoohp] "oem"="REG_SZ", "amz" "Time"="REG_DWORD", 1470984111 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Erwutionphutesy Update] "DisplayName"="REG_SZ", "Erwutionphutesy Update" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, ""C:\Program Files (x86)\Cokcultprasitain\Erwutionphutesy\ErwutionphutesyUpdatevrl.exe" {511AFE50-C2D8-48D5-87EB-B2BCFEC5572C}" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 3 "Type"="REG_DWORD", 272 "WOW64"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Erwutionphutesy Update\Security] "Security"="REG_BINARY, ..d.p...0................4.................... ............... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SoEasySvc] "Description"="REG_SZ", "The SoEasy service that aims to offer search easlisy" "DisplayName"="REG_SZ", "SoEasySvc" "ErrorControl"="REG_DWORD", 1 "FailureActions"="REG_BINARY, ...................... "ImagePath"="REG_EXPAND_SZ, ""C:\Program Files (x86)\SoEasySvc\SoEasySvc.exe" {8DE54EC4-2DF3-4F56-9F19-EBC2BDF2FF59}" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 272 "WOW64"="REG_DWORD", 1 [HKEY_USERS\.DEFAULT\Software\b`nl{y] "day"="REG_SZ", "20160812" "upday"="REG_SZ", "20160812" [HKEY_USERS\.DEFAULT\Software\CB75DF05542D4707119BC449A5FA9A4A] "c"="REG_DWORD", 1 "d"="REG_SZ", "20160812" "o"="REG_DWORD", 1 [HKEY_CURRENT_USER\Software\CB75DF05542D4707119BC449A5FA9A4A] "c"="REG_DWORD", 1 "d"="REG_SZ", "20160812" "o"="REG_DWORD", 1 [HKEY_CURRENT_USER\Software\LiveUpdate] "cd"="REG_SZ", "C:\Users\{username}\AppData\Local\Lutilyantersy" "fd"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Profiles\Viberk.default" "hp"="REG_SZ", "http://www.youndoo.com/?z=0f21fa0d78a75257335848bgez5m6eet6b4z1eab2t&from=amz&uid=VBOXXHARDDISK_VB3361b1e7-85c503b7&type=hp" Excerpt of the Malwarebytes Anti-Malware log (full log available on request): Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 8/12/2016 Scan Time: 9:36 AM Logfile: mbamYoundoo2.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.08.12.03 Rootkit Database: v2016.08.09.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 317648 Time Elapsed: 10 min, 57 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 1 PUP.Optional.SoEasySvc, C:\Program Files (x86)\SoEasySvc\SoEasySvc.exe, 3476, Delete-on-Reboot, [65cee961534789ad737719b1a3617c84] Modules: 3 PUP.Optional.SoEasySvc, C:\Program Files (x86)\SoEasySvc\iCmnBase.dll, Delete-on-Reboot, [65cee961534789ad737719b1a3617c84], PUP.Optional.SoEasySvc, C:\Program Files (x86)\SoEasySvc\msvcp110.dll, Delete-on-Reboot, [65cee961534789ad737719b1a3617c84], PUP.Optional.SoEasySvc, C:\Program Files (x86)\SoEasySvc\msvcr110.dll, Delete-on-Reboot, [65cee961534789ad737719b1a3617c84], Registry Keys: 11 PUP.Optional.Elex, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\Erwutionphutesy Update, Quarantined, [3cf7cb7f009ac670e63b1eae0afa53ad], PUP.Optional.Elex, HKLM\SOFTWARE\CLASSES\CLSID\{B41B3408-923F-4B8B-85F2-146C509FA18C}, Quarantined, [d95af05a98023006f23e943840c4c53b], PUP.Optional.Elex, HKLM\SOFTWARE\CLASSES\OverlayIcon.MyOverlayIcon, Quarantined, [5bd859f162382d0932fea8241aea05fb], PUP.Optional.Elex, HKLM\SOFTWARE\CLASSES\OverlayIcon.MyOverlayIcon.1, Quarantined, [260d4cfe24769d9920109933db2954ac], PUP.Optional.Elex, HKLM\SOFTWARE\WOW6432NODE\CLASSES\OverlayIcon.MyOverlayIcon, Quarantined, [f43f6fdb5a40fe38e947b418ab59d42c], PUP.Optional.Elex, HKLM\SOFTWARE\WOW6432NODE\CLASSES\OverlayIcon.MyOverlayIcon.1, Quarantined, [c46f004a039740f6f83809c36e96aa56], PUP.Optional.Elex, HKLM\SOFTWARE\CLASSES\WOW6432NODE\OverlayIcon.MyOverlayIcon, Quarantined, [151eea60ff9b072f919fc7058381b749], PUP.Optional.Elex, HKLM\SOFTWARE\CLASSES\WOW6432NODE\OverlayIcon.MyOverlayIcon.1, Quarantined, [b57e65e5e9b152e4f63a04c87094867a], PUP.Optional.Elex, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{63A8C5F6-99CA-4244-A0FC-5856F62A293F}, Quarantined, [b1823d0dacee87affb27d2fab252ef11], PUP.Optional.SoEasySvc, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SoEasySvc, Quarantined, [65cee961534789ad737719b1a3617c84], PUP.Optional.Youndoo, HKLM\SOFTWARE\WOW6432NODE\youndooSoftware, Quarantined, [90a38cbe98028da97a6ad0f9cd35b44c], Registry Values: 1 PUP.Optional.Youndoo, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{63A8C5F6-99CA-4244-A0FC-5856F62A293F}|DisplayName, youndoo - Uninstall, Quarantined, [ff34f6545347b284e33f5377927009f7] Registry Data: 0 (No malicious items detected) Folders: 520 PUP.Optional.SoEasySvc, C:\Program Files (x86)\SoEasySvc, Delete-on-Reboot, [65cee961534789ad737719b1a3617c84], PUP.Optional.Elex, C:\Program Files (x86)\Cokcultprasitain, Quarantined, [59da61e971290a2c45e545879074c838], PUP.Optional.Elex, C:\Program Files (x86)\Cokcultprasitain\Erwutionphutesy, Quarantined, [59da61e971290a2c45e545879074c838], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\Caps, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\CertificateTransparency, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\databases, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\data_reduction_proxy_leveldb, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extension Rules, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extension State, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\aapocclcgogkmnckokdopfmhonfmgoek, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_locales, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\_metadata, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\aohghmighlieiainnegkcijnfilokake, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_metadata, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\apdfllckaahabafndbhieahigkjlhalf, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_metadata, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_metadata, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\coobgpohoikkiipiblmjeljniedjpjpf, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.60_0, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.60_0\_locales, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.60_0\_metadata, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\felcaaldnbdncclmgdcncolpebgiejap, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_metadata, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_metadata, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\css, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\html, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\images, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_metadata, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pjkljhegncpnkpknbcohdijeoejaedia, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.1_0, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.1_0\_locales, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.1_0\_metadata, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5216.530.0.10_0, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5216.530.0.10_0\cast_setup, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5216.530.0.10_0\cloud_route_details, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5216.530.0.10_0\_locales, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5216.530.0.10_0\_metadata, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\IndexedDB, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\IndexedDB\https_www.google.nl_0.indexeddb.leveldb, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\JumpListIcons, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\JumpListIconsOld, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Local Extension Settings, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Local Storage, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Service Worker, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Service Worker\CacheStorage, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Service Worker\CacheStorage\ae6425408f2239a8c4458f791990c1e6dacbcee7, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Service Worker\CacheStorage\ae6425408f2239a8c4458f791990c1e6dacbcee7\55d184d2-4756-4d62-bf02-b860787bba16, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Service Worker\CacheStorage\ae6425408f2239a8c4458f791990c1e6dacbcee7\55d184d2-4756-4d62-bf02-b860787bba16\index-dir, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Service Worker\Database, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Service Worker\ScriptCache, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Service Worker\ScriptCache\index-dir, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Session Storage, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Storage, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Storage\ext, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Storage\ext\chrome-signin, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Storage\ext\chrome-signin\def, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Sync Extension Settings, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Web Applications, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Web Applications\_crx_aohghmighlieiainnegkcijnfilokake, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\Crashpad, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\Crashpad\reports, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\EVWhitelist, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\FileTypePolicies, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\OriginTrials, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\PepperFlash, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\pnacl, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ShaderCache, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\SwiftShader, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\SwReporter, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\WidevineCDM, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], Files: 649 PUP.Optional.Elex, C:\Program Files (x86)\Cokcultprasitain\Erwutionphutesy\ErwutionphutesyUpdatevrl.exe, Quarantined, [3cf7cb7f009ac670e63b1eae0afa53ad], PUP.Optional.Elex, C:\Program Files (x86)\Cokcultprasitain\Plgaghtatumusyhlp.dll, Quarantined, [b1823d0dacee87affb27d2fab252ef11], PUP.Optional.Elex, C:\Program Files (x86)\Cokcultprasitain\SoEasy.exe, Quarantined, [ec476edc2a703006998e8745b252a759], PUP.Optional.Elex, C:\Program Files (x86)\Cokcultprasitain\SpyProDll.dll, Quarantined, [d360103a2f6b41f5bf66eddfdb296c94], PUP.Optional.Elex, C:\Program Files (x86)\Mozilla Firefox\wtsapi32.dll, Quarantined, [2c07a3a70d8d3105fcebf9d1f70dfd03], PUP.Optional.Elex, C:\Program Files (x86)\Google\Chrome\Application\wtsapi32.dll, Quarantined, [082b66e4316966d05d8bbd0d8f75bd43], PUP.Optional.SoEasySvc, C:\Program Files (x86)\SoEasySvc\SoEasySvc.exe, Delete-on-Reboot, [65cee961534789ad737719b1a3617c84], PUP.Optional.SoEasySvc, C:\Program Files (x86)\SoEasySvc\iCmnBase.dll, Delete-on-Reboot, [65cee961534789ad737719b1a3617c84], PUP.Optional.SoEasySvc, C:\Program Files (x86)\SoEasySvc\msvcp110.dll, Delete-on-Reboot, [65cee961534789ad737719b1a3617c84], PUP.Optional.SoEasySvc, C:\Program Files (x86)\SoEasySvc\msvcr110.dll, Delete-on-Reboot, [65cee961534789ad737719b1a3617c84], PUP.Optional.Elex, C:\Program Files (x86)\Cokcultprasitain\vovuther.exex5v, Quarantined, [59da61e971290a2c45e545879074c838], PUP.Optional.Elex, C:\Program Files (x86)\Cokcultprasitain\Erwutionphutesy\Zohitain.dll, Quarantined, [59da61e971290a2c45e545879074c838], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\First Run, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\Local State, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\Safe Browsing Bloom, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\Safe Browsing Bloom Prefix Set, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\Safe Browsing Channel IDs, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\Safe Browsing Channel IDs-journal, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\Safe Browsing Cookies, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\Safe Browsing Cookies-journal, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\Safe Browsing Csd Whitelist, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\Safe Browsing Download, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\Safe Browsing Download Whitelist, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\Safe Browsing Extension Blacklist, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\Safe Browsing IP Blacklist, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\Safe Browsing UwS List, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\Safe Browsing UwS List Prefix Set, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Cookies, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Cookies-journal, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Current Session, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Current Tabs, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extension Cookies, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extension Cookies-journal, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Favicons, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Favicons-journal, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Google Profile.ico, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\History, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\History Provider Cache, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\History-journal, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Last Tabs, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Login Data, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Login Data-journal, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Network Action Predictor, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Network Action Predictor-journal, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Network Persistent State, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Origin Bound Certs-journal, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Preferences, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\QuotaManager, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\QuotaManager-journal, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\README, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Secure Preferences, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Shortcuts, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Shortcuts-journal, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Top Sites, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Top Sites-journal, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\TransportSecurity, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Visited Links, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Web Data, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Web Data-journal, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Last Session, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Origin Bound Certs, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\databases\Databases.db, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\databases\Databases.db-journal, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\data_reduction_proxy_leveldb\000003.log, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\data_reduction_proxy_leveldb\CURRENT, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\data_reduction_proxy_leveldb\LOCK, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\data_reduction_proxy_leveldb\LOG, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\data_reduction_proxy_leveldb\LOG.old, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\data_reduction_proxy_leveldb\MANIFEST-000001, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extension Rules\000003.log, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extension Rules\CURRENT, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extension Rules\LOCK, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extension Rules\LOG, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extension Rules\MANIFEST-000001, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extension State\000003.log, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extension State\CURRENT, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extension State\LOCK, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extension State\LOG, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extension State\LOG.old, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extension State\MANIFEST-000001, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\icon_128.png, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\icon_16.png, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\main.html, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\main.js, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\manifest.json, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\icon_128.png, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\icon_16.png, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\main.html, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\main.js, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\manifest.json, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\128.png, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\manifest.json, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\128.png, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\manifest.json, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.60_0\128.png, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.60_0\16.png, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.60_0\32.png, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.60_0\48.png, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.60_0\manifest.json, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\icon_128.png, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\icon_16.png, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\main.html, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\main.js, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\manifest.json, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\128.png, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\contentscript_bin_prod.js, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\dasherSettingSchema.json, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\eventpage_bin_prod.js, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\manifest.json, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\page_embed_script.js, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\craw_background.js, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\craw_window.js, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\manifest.json, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\css\craw_window.css, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\html\craw_window.html, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\images\flapper.gif, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\images\icon_128.png, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\images\icon_16.png, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\images\topbar_floating_button.png, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\images\topbar_floating_button_close.png, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\images\topbar_floating_button_hover.png, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\images\topbar_floating_button_maximize.png, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\images\topbar_floating_button_pressed.png, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.1_0\128.png, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.1_0\manifest.json, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5216.530.0.10_0\angular.js, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5216.530.0.10_0\background_script.js, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5216.530.0.10_0\cast_game_sender.js, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5216.530.0.10_0\cast_route_details.html, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5216.530.0.10_0\cast_route_details.js, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5216.530.0.10_0\cast_sender.js, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5216.530.0.10_0\common.js, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5216.530.0.10_0\feedback.css, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5216.530.0.10_0\feedback.html, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5216.530.0.10_0\feedback_script.js, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5216.530.0.10_0\manifest.json, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5216.530.0.10_0\material_css_min.css, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5216.530.0.10_0\mirroring_common.js, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5216.530.0.10_0\mirroring_hangouts.js, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5216.530.0.10_0\cast_setup\cast_app.css, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5216.530.0.10_0\cast_setup\cast_app.js, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5216.530.0.10_0\cast_setup\cast_app_redirect.js, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5216.530.0.10_0\cast_setup\chromecast_logo_grey.png, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5216.530.0.10_0\cast_setup\devices.html, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5216.530.0.10_0\cast_setup\index.html, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5216.530.0.10_0\cast_setup\offers.html, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5216.530.0.10_0\cast_setup\setup.html, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5216.530.0.10_0\cloud_route_details\view.html, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5216.530.0.10_0\cloud_route_details\view.js, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\IndexedDB\https_www.google.nl_0.indexeddb.leveldb\000003.log, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\IndexedDB\https_www.google.nl_0.indexeddb.leveldb\CURRENT, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\IndexedDB\https_www.google.nl_0.indexeddb.leveldb\LOCK, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\IndexedDB\https_www.google.nl_0.indexeddb.leveldb\LOG, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\IndexedDB\https_www.google.nl_0.indexeddb.leveldb\MANIFEST-000001, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\JumpListIcons\B7FF.tmp, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\JumpListIcons\B800.tmp, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\JumpListIconsOld\4879.tmp, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\JumpListIconsOld\487A.tmp, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.log, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOCK, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG.old, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Local Storage\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Local Storage\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Local Storage\https_consent.google.nl_0.localstorage, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Local Storage\https_consent.google.nl_0.localstorage-journal, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Local Storage\https_www.google.nl_0.localstorage, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Local Storage\https_www.google.nl_0.localstorage-journal, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Local Storage\https_www.youtube.com_0.localstorage, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Local Storage\https_www.youtube.com_0.localstorage-journal, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Service Worker\CacheStorage\ae6425408f2239a8c4458f791990c1e6dacbcee7\index.txt, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Service Worker\CacheStorage\ae6425408f2239a8c4458f791990c1e6dacbcee7\55d184d2-4756-4d62-bf02-b860787bba16\06566ff9c80a8014_0, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Service Worker\CacheStorage\ae6425408f2239a8c4458f791990c1e6dacbcee7\55d184d2-4756-4d62-bf02-b860787bba16\907bb0d163666c5b_0, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Service Worker\CacheStorage\ae6425408f2239a8c4458f791990c1e6dacbcee7\55d184d2-4756-4d62-bf02-b860787bba16\b2821ab637f16106_0, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Service Worker\CacheStorage\ae6425408f2239a8c4458f791990c1e6dacbcee7\55d184d2-4756-4d62-bf02-b860787bba16\fdf2cfeb8ad0eeac_0, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Service Worker\CacheStorage\ae6425408f2239a8c4458f791990c1e6dacbcee7\55d184d2-4756-4d62-bf02-b860787bba16\index, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Service Worker\CacheStorage\ae6425408f2239a8c4458f791990c1e6dacbcee7\55d184d2-4756-4d62-bf02-b860787bba16\index-dir\the-real-index, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Service Worker\Database\000003.log, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Service Worker\Database\CURRENT, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Service Worker\Database\LOCK, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Service Worker\Database\LOG, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Service Worker\Database\LOG.old, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Service Worker\Database\MANIFEST-000001, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Service Worker\ScriptCache\2cc80dabc69f58b6_0, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Service Worker\ScriptCache\2cc80dabc69f58b6_1, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Service Worker\ScriptCache\index, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Service Worker\ScriptCache\index-dir\the-real-index, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Session Storage\000004.log, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Session Storage\000005.ldb, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Session Storage\CURRENT, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Session Storage\LOCK, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Session Storage\LOG, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Session Storage\LOG.old, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Session Storage\MANIFEST-000001, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\000003.log, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\CURRENT, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOCK, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG.old, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\MANIFEST-000001, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Web Applications\_crx_aohghmighlieiainnegkcijnfilokake\Google Docs.ico, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\ChromeDefaultData\Web Applications\_crx_aohghmighlieiainnegkcijnfilokake\Google Docs.ico.md5, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\Crashpad\metadata, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], PUP.Optional.Elex, C:\Users\{username}\AppData\Local\Lutilyantersy\Crashpad\settings.dat, Quarantined, [47ec66e4c5d5ec4a79b4f5d7e12353ad], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  12. What is DPower? The Malwarebytes research team has determined that DPower is adware. These adware applications display advertisements not originating from the sites you are browsing. This particular one belongs to the EoRezo family. How do I know if my computer is affected by DPower? You may see these warnings during install: and this entry in your list of installed programs: How did DPower get on my computer? Adware applications use different methods for distributing themselves. This particular one was bundled with other software. How do I remove DPower? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of DPower? No, Malwarebytes' Anti-Malware removes DPower completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the DPower adware. It would have warned you before the rogue could install itself, giving you a chance to stop it before it became too late. Technical details for experts You will see these signs in FRST logs: HKLM-x32\...\Run: [DiskPower] => C:\Program Files (x86)\DPower\DiskPower.exe [210432 2016-07-21] () C:\Program Files (x86)\DPower DPower version 1.0 (HKLM-x32\...\DPower_is1) (Version: 1.0 - WeMonetize) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\DPower Adds the file DiskPower.exe"="7/21/2016 10:05 AM, 210432 bytes, A Adds the file DiskPower.exe.conf"="8/2/2016 9:40 AM, 1276 bytes, A Adds the file LinqBridge.dll"="7/21/2016 10:05 AM, 62976 bytes, A Adds the file unins000.dat"="8/11/2016 8:43 AM, 1264 bytes, A Adds the file unins000.exe"="8/11/2016 8:42 AM, 718497 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "DiskPower"="REG_SZ", ""C:\Program Files (x86)\DPower\DiskPower.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DPower_is1] "DisplayName"="REG_SZ", "DPower version 1.0" "DisplayVersion"="REG_SZ", "1.0" "EstimatedSize"="REG_DWORD", 958 "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\DPower" "Inno Setup: Icon Group"="REG_SZ", "DPower" "Inno Setup: Language"="REG_SZ", "english" "Inno Setup: Setup Version"="REG_SZ", "5.5.4 (a)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20160811" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\DPower\" "MajorVersion"="REG_DWORD", 1 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "WeMonetize" "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\DPower\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\DPower\unins000.exe"" Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 8/11/2016 Scan Time: 9:54 AM Logfile: mbamDPower.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.08.11.01 Rootkit Database: v2016.08.09.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 317344 Time Elapsed: 11 min, 24 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 1 PUP.Optional.Tuto4PC, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DPower_is1, Quarantined, [7e4f44051c7ef83ef77e8f3a4db78b75], Registry Values: 2 PUP.Optional.Tuto4PC, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|DiskPower, "C:\Program Files (x86)\DPower\DiskPower.exe", Quarantined, [7e4f44051c7ef83ef77e8f3a4db78b75] PUP.Optional.Tuto4PC, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DPOWER_IS1|Publisher, WeMonetize, Quarantined, [cd00b297cccea690d4a007c27a8af60a] Registry Data: 0 (No malicious items detected) Folders: 1 PUP.Optional.Tuto4PC, C:\Program Files (x86)\DPower, Quarantined, [7e4f44051c7ef83ef77e8f3a4db78b75], Files: 6 PUP.Optional.Tuto4PC, C:\Users\{username}\Desktop\DiskPower.exe, Quarantined, [4e7f84c52377c1756405d6f3e3216799], PUP.Optional.Tuto4PC, C:\Program Files (x86)\DPower\unins000.dat, Quarantined, [7e4f44051c7ef83ef77e8f3a4db78b75], PUP.Optional.Tuto4PC, C:\Program Files (x86)\DPower\DiskPower.exe, Quarantined, [7e4f44051c7ef83ef77e8f3a4db78b75], PUP.Optional.Tuto4PC, C:\Program Files (x86)\DPower\DiskPower.exe.conf, Quarantined, [7e4f44051c7ef83ef77e8f3a4db78b75], PUP.Optional.Tuto4PC, C:\Program Files (x86)\DPower\LinqBridge.dll, Quarantined, [7e4f44051c7ef83ef77e8f3a4db78b75], PUP.Optional.Tuto4PC, C:\Program Files (x86)\DPower\unins000.exe, Quarantined, [7e4f44051c7ef83ef77e8f3a4db78b75], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  13. What is Dotdo-Audio? The Malwarebytes research team has determined that Dotdo-Audio is a browser hijacker. These so-called "hijackers" alter your startpage or searchscopes so that the effected browser visits their site or one of their choice. This one uses a "man in the middle" method on Chrome and Firefox. It also uses audio advertisements. How do I know if my computer is affected by Dotdo-Audio? Your computer will slow down considerably. You may hear audio advertisements even when there are no browser windows open. You may notice hidden and renamed files in the Chrome and Firefox application folders. The renamed and hidden files are the original browser executables. You may have seen a few command prompts during install: Using taskkill to shut down Chrome and Firefox processes, so it can replace them. And you may find a few Scheduled Tasks similar to these: How did Dotdo-Audio get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was installed by a trojan. How do I remove Dotdo-Audio? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Dotdo-Audio? No, Malwarebytes' Anti-Malware removes Dotdo-Audio completely. This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks. This PUP disables the Windows Defender service. You may want to run services.msc to open Services Manager. Ensure that the Windows Defender service is started and set to Automatic. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Dotdo-Audio hijacker. It would have warned you before the rogue could install itself, giving you a chance to stop it before it became too late. It also stops some of the outgoing connections the adware tries to make: Technical details for experts Signs in a FRST logs: () C:\Program Files (x86)\micra\sacrosanct.exe () C:\Program Files (x86)\umm\rickshaws.exe HKLM\...\Run: [micrometer] => C:\Program Files (x86)\umm\rickshaws.exe [10752 2016-07-19] () HKLM-x32\...\Run: [amputate] => C:\Program Files (x86)\umm\rickshaws.exe [10752 2016-07-19] () HKCU\...\Run: [finish] => C:\Program Files (x86)\umm\rickshaws.exe [10752 2016-07-19] () HKCU\...\Run: [varmints] => C:\Program Files (x86)\umm\rickshaws.exe [10752 2016-07-19] () HKCU\...\Run: [sacrosanct] => C:\Program Files (x86)\micra\sacrosanct.exe [36766 2016-07-19] () HKCU\...\Run: [ens] => C:\Program Files (x86)\umm\rickshaws.exe [10752 2016-07-19] () Startup: C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\heaton.lnk [2016-08-10] ShortcutTarget: heaton.lnk -> C:\Program Files (x86)\umm\rickshaws.exe () S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation) C:\Windows\System32\Tasks\49902965 C:\Windows\System32\Tasks\Pa4990296549902965 C:\Program Files (x86)\umm C:\Program Files (x86)\micra C:\Windows\scid.exe C:\Windows\settings.dll C:\Users\{username}\AppData\Local\66534719.exe C:\Users\{username}\AppData\Local\10262.exe Task: {7183CE50-E79D-43B0-A322-408A35C16BD7} - System32\Tasks\49902965 => C:\Program Files (x86)\umm\rickshaws.exe [2016-07-19] () <==== ATTENTION Task: {7BFBE69C-F99A-4C34-B03B-E764BFEB6C29} - System32\Tasks\Pa4990296549902965 => C:\Program Files (x86)\umm\rickshaws.exe [2016-07-19] () () C:\Users\{username}\AppData\Local\Temp\nseEFCF.tmp\ExecCmd.dll FirewallRules: [{C9C8C4B7-05CB-4F44-B1B7-35C179711A21}] => (Allow) C:\Program Files (x86)\umm\rickshaws.exe Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- In the existing folder C:\Program Files (x86)\Google\Chrome\Application Alters the file chrome.exe 8/3/2016 2:20 AM, 961352 bytes, A ==> 7/19/2016 4:01 AM, 406393 bytes, A Adds the file chrome334.exe"="8/3/2016 2:20 AM, 961352 bytes, H Adds the folder C:\Program Files (x86)\micra Adds the file sacrosanct.exe"="7/19/2016 4:01 AM, 36766 bytes, A In the existing folder C:\Program Files (x86)\Mozilla Firefox Alters the file firefox.exe 6/20/2016 11:22 AM, 392136 bytes, A ==> 7/19/2016 4:01 AM, 406396 bytes, A Adds the file firefox334.exe"="6/20/2016 11:22 AM, 392136 bytes, H Adds the folder C:\Program Files (x86)\umm Adds the file Microsoft.Win32.TaskScheduler.dll"="6/26/2015 9:08 PM, 294400 bytes, A Adds the file rickshaws.exe"="7/19/2016 4:01 AM, 10752 bytes, A Adds the file settings.dll"="7/19/2016 4:01 AM, 6656 bytes, A In the existing folder C:\Users\{username}\AppData\Local Adds the file 10262.exe"="7/19/2016 4:00 AM, 34157 bytes, A Adds the file 66534719.exe"="7/19/2016 4:00 AM, 127638 bytes, A In the existing folder C:\Users\{username}\AppData\Local\Microsoft\Media Player Alters the file CurrentDatabase_372.wmdb 7/20/2016 11:30 AM, 1331200 bytes, A ==> 8/10/2016 8:32 AM, 1331200 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup Adds the file heaton.lnk"="8/10/2016 8:18 AM, 762 bytes, A In the existing folder C:\Windows Adds the file scid.exe"="7/19/2016 4:01 AM, 10752 bytes, A Adds the file settings.dll"="7/19/2016 4:01 AM, 6656 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file 49902965"="8/10/2016 8:19 AM, 3808 bytes, A Adds the file Pa4990296549902965"="8/10/2016 8:19 AM, 3662 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "micrometer"="REG_SZ", ""C:\Program Files (x86)\umm\rickshaws.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender] "DisableAntiSpyware"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "amputate"="REG_SZ", ""C:\Program Files (x86)\umm\rickshaws.exe"" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage\www.everclips.net] "(Default)"="REG_DWORD", 119 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMStorage\www.govids.net] "(Default)"="REG_DWORD", 119 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "ens"="REG_SZ", ""C:\Program Files (x86)\umm\rickshaws.exe"" "finish"="REG_SZ", ""C:\Program Files (x86)\umm\rickshaws.exe"" "sacrosanct"="REG_SZ", ""C:\Program Files (x86)\micra\sacrosanct.exe"" "varmints"="REG_SZ", ""C:\Program Files (x86)\umm\rickshaws.exe"" Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 8/10/2016 Scan Time: 9:35 AM Logfile: mbamDotdoAudio.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.08.10.03 Rootkit Database: v2016.08.09.01 License: Premium Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 317334 Time Elapsed: 10 min, 55 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 3 PUP.Optional.DotDo, C:\Program Files (x86)\micra\sacrosanct.exe, 2100, Delete-on-Reboot, [e3881b2efaa038fe8e73219692726e92] PUP.Optional.DotDo.PrxySvrRST, C:\Program Files (x86)\umm\rickshaws.exe, 3176, Delete-on-Reboot, [8fdc7dcc99014ee88286be20ac558e72] PUP.Optional.DotDo.PrxySvrRST, C:\Program Files (x86)\umm\rickshaws.exe, 2360, Delete-on-Reboot, [8fdc7dcc99014ee88286be20ac558e72] Modules: 0 (No malicious items detected) Registry Keys: 4 PUP.Optional.MultiPlug.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{7183CE50-E79D-43B0-A322-408A35C16BD7}, Delete-on-Reboot, [4922aa9f504a91a5881142882fd31be5], PUP.Optional.MultiPlug.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{7BFBE69C-F99A-4C34-B03B-E764BFEB6C29}, Delete-on-Reboot, [4b20fe4b7e1ce353d2c833972ad80ff1], PUP.Optional.MultiPlug.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\49902965, Delete-on-Reboot, [0d5e0c3d1684c2746834e5e57c861de3], PUP.Optional.MultiPlug.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Pa4990296549902965, Delete-on-Reboot, [f17aea5f4753bb7b4d5004c6c9399967], Registry Values: 8 PUP.Optional.DotDo, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|sacrosanct, "C:\Program Files (x86)\micra\sacrosanct.exe", Quarantined, [e3881b2efaa038fe8e73219692726e92] PUP.Optional.DotDo.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|micrometer, "C:\Program Files (x86)\umm\rickshaws.exe", Quarantined, [8fdc7dcc99014ee88286be20ac558e72] PUP.Optional.DotDo.PrxySvrRST, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|amputate, "C:\Program Files (x86)\umm\rickshaws.exe", Quarantined, [8fdc7dcc99014ee88286be20ac558e72] PUP.Optional.DotDo.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|finish, "C:\Program Files (x86)\umm\rickshaws.exe", Quarantined, [8fdc7dcc99014ee88286be20ac558e72] PUP.Optional.DotDo.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|varmints, "C:\Program Files (x86)\umm\rickshaws.exe", Quarantined, [8fdc7dcc99014ee88286be20ac558e72] PUP.Optional.DotDo.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|ens, "C:\Program Files (x86)\umm\rickshaws.exe", Quarantined, [8fdc7dcc99014ee88286be20ac558e72] PUP.Optional.MultiPlug.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{7183CE50-E79D-43B0-A322-408A35C16BD7}|Path, \49902965, Delete-on-Reboot, [4922aa9f504a91a5881142882fd31be5] PUP.Optional.MultiPlug.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{7BFBE69C-F99A-4C34-B03B-E764BFEB6C29}|Path, \Pa4990296549902965, Delete-on-Reboot, [4b20fe4b7e1ce353d2c833972ad80ff1] Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 10 PUP.Optional.DotDo, C:\Program Files (x86)\micra\sacrosanct.exe, Delete-on-Reboot, [e3881b2efaa038fe8e73219692726e92], PUP.Optional.DotDo.PrxySvrRST, C:\Program Files (x86)\umm\rickshaws.exe, Delete-on-Reboot, [8fdc7dcc99014ee88286be20ac558e72], Trojan.Agent, C:\Users\{username}\Desktop\DotdoSetup.exe, Quarantined, [44271f2acbcfe74f0e7dbea8e51d9769], PUP.Optional.DotDo.PrxySvrRST, C:\Program Files (x86)\umm\settings.dll, Delete-on-Reboot, [363573d6b3e7c86ea24a4e80ec1531cf], Trojan.Agent, C:\Users\{username}\AppData\Local\10262.exe, Quarantined, [e08b8abfff9b9d99bdcefb6b02008b75], PUP.Optional.DotDo.PrxySvrRST, C:\Windows\scid.exe, Quarantined, [f576df6af6a4f83ed236c816778ad828], PUP.Optional.DotDo.PrxySvrRST, C:\Windows\settings.dll, Quarantined, [f17a66e3702afd39ea024985738e17e9], PUP.Optional.MultiPlug.PrxySvrRST, C:\Windows\System32\Tasks\49902965, Quarantined, [cba02f1a14863cfa2a699535689ab050], PUP.Optional.MultiPlug.PrxySvrRST, C:\Windows\System32\Tasks\Pa4990296549902965, Quarantined, [8edde4651b7fd56173213892da28af51], PUP.Optional.DotDo, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\heaton.lnk, Quarantined, [6308fd4c7c1edd593ad4a710788c8d73], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  14. What is Windows Games TSS? The Malwarebytes research team has determined that Windows Games TSS is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end. This particular one uses a continuously refershing window to block the user from the use of his system. How do I know if my computer is affected by Windows Games TSS? This is one of the warnings displayed during install: You may see this window that covers your whole screen after logging on: and these windows while trying to get out of the locked screen: How did Windows Games TSS get on my computer? Tech Support Scammers use different methods for distributing themselves. This particular one was installed by a trojan. How do I remove Windows Games TSS? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application. But due to the behaviour of the program you will have to reboot into Safe Mode with Networking first. Alternatively you can try to get out of the lockscreen by typing "closecloseclosecloseclose" in the main form and click on the "Activate" button. You will get a confirmation prompt. Close that prompt and you will be sent back to your desktop. After following either method continue with the instructions below. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Windows Games TSS? No, Malwarebytes' Anti-Malware removes Windows Games TSS completely. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this Tech Support Scam. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Tech Supprt Scam. Technical details for experts You may see these entries in FRST logs: HKCU\...\Run: [NewWindowActivation] => C:\Program Files\Microsoft Games\Windows Games\NewWindowActivation.exe [648512 2016-07-26] (Microsoft) C:\Program Files\Microsoft Games Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\Microsoft Games\Windows Games Adds the file NewWindowActivation.exe"="7/26/2016 9:49 PM, 648512 bytes, A Adds the file test1.bat"="7/19/2016 10:56 PM, 590 bytes, A Adds the folder C:\Program Files (x86)\Microsoft\Windows Games Adds the file myTP.exe"="7/29/2016 5:24 PM, 61952 bytes, A Adds the file Windows Games.exe"="7/28/2016 12:18 AM, 2310032 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Microsoft\Speech\Files\UserLexicons Adds the file SP_86C9F42BC988495188D431A2C246FFF5.dat"="8/9/2016 8:43 AM, 940 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows Games 1.0.0.1\install\A63CEE2 Adds the folder C:\Windows\Installer\{034F626D-06B1-40B7-81CA-2B926A63CEE2} Adds the file Windows10logo_1.exe"="8/9/2016 8:39 AM, 370070 bytes, RA Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\4C770621CB220AE418F93890344C0297] "AdvertiseFlags"="REG_DWORD", 388 "Assignment"="REG_DWORD", 1 "AuthorizedLUAApp"="REG_DWORD", 0 "Clients"="REG_MULTI_SZ, ": " "DeploymentFlags"="REG_DWORD", 3 "InstanceType"="REG_DWORD", 0 "Language"="REG_DWORD", 1033 "PackageCode"="REG_SZ", "460A7E668DC17764C96D01255D06F89F" "ProductIcon"="REG_SZ", "C:\Windows\Installer\{126077C4-22BC-4EA0-819F-830943C42079}\favicon.exe" "ProductName"="REG_SZ", "Windows Games" "Version"="REG_DWORD", 33554432 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\4C770621CB220AE418F93890344C0297\SourceList] "LastUsedSource"="REG_EXPAND_SZ, "n;1;C:\Users\{username}\AppData\Roaming\Microsoft Games\Windows Games 2.0.0.1\install\" "PackageName"="REG_SZ", "Windows Games.x64.msi" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\D626F4301B607B0418ACB229A636EC2E] "AdvertiseFlags"="REG_DWORD", 388 "Assignment"="REG_DWORD", 1 "AuthorizedLUAApp"="REG_DWORD", 0 "Clients"="REG_MULTI_SZ, ": " "DeploymentFlags"="REG_DWORD", 3 "InstanceType"="REG_DWORD", 0 "Language"="REG_DWORD", 1033 "PackageCode"="REG_SZ", "AD7BFD8BE497716428877EDA23DC3BB3" "ProductIcon"="REG_SZ", "C:\Windows\Installer\{034F626D-06B1-40B7-81CA-2B926A63CEE2}\Windows10logo_1.exe" "ProductName"="REG_SZ", "Windows Games" "Version"="REG_DWORD", 16777216 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{126077C4-22BC-4EA0-819F-830943C42079}] "AuthorizedCDFPrefix"="REG_SZ", "" "Comments"="REG_SZ", "This installer database contains the logic and data required to install Windows Games." "Contact"="REG_SZ", "" "DisplayName"="REG_SZ", "Windows Games" "DisplayVersion"="REG_SZ", "2.0.0.1" "EstimatedSize"="REG_DWORD", 618 "HelpLink"="REG_SZ", "" "HelpTelephone"="REG_SZ", "" "InstallDate"="REG_SZ", "20160809" "InstallLocation"="REG_SZ", "C:\Program Files\Microsoft Games\Windows Games\" "InstallSource"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Microsoft Games\Windows Games 2.0.0.1\install\" "Language"="REG_DWORD", 1033 "ModifyPath"="REG_EXPAND_SZ, "MsiExec.exe /X{126077C4-22BC-4EA0-819F-830943C42079}" "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Microsoft Games" "Readme"="REG_SZ", "" "Size"="REG_SZ", "" "SystemComponent"="REG_DWORD", 1 "UninstallString"="REG_EXPAND_SZ, "MsiExec.exe /X{126077C4-22BC-4EA0-819F-830943C42079}" "URLInfoAbout"="REG_SZ", "" "URLUpdateInfo"="REG_SZ", "" "Version"="REG_DWORD", 33554432 "VersionMajor"="REG_DWORD", 2 "VersionMinor"="REG_DWORD", 0 "WindowsInstaller"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{034F626D-06B1-40B7-81CA-2B926A63CEE2}] "AuthorizedCDFPrefix"="REG_SZ", "" "Comments"="REG_SZ", "This installer database contains the logic and data required to install Windows Games." "Contact"="REG_SZ", "" "DisplayName"="REG_SZ", "Windows Games" "DisplayVersion"="REG_SZ", "1.0.0.1" "EstimatedSize"="REG_DWORD", 2300 "HelpLink"="REG_SZ", "" "HelpTelephone"="REG_SZ", "" "InstallDate"="REG_SZ", "20160809" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\Microsoft\Windows Games\" "InstallSource"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Microsoft\Windows Games 1.0.0.1\install\A63CEE2\" "Language"="REG_DWORD", 1033 "NoModify"="REG_DWORD", 1 "NoRemove"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Microsoft" "Readme"="REG_SZ", "" "Size"="REG_SZ", "" "SystemComponent"="REG_DWORD", 1 "URLInfoAbout"="REG_SZ", "" "URLUpdateInfo"="REG_SZ", "" "Version"="REG_DWORD", 16777216 "VersionMajor"="REG_DWORD", 1 "VersionMinor"="REG_DWORD", 0 "WindowsInstaller"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Games] "Path"="REG_SZ", "C:\Program Files (x86)\Microsoft\Windows Games\" "Version"="REG_SZ", "1.0.0.1" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft Games\Windows Games] "Path"="REG_SZ", "C:\Program Files\Microsoft Games\Windows Games\" "Version"="REG_SZ", "2.0.0.1" [HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN] "NewWindowActivation"="C:\Program Files\Microsoft Games\Windows Games\NewWindowActivation.exe" Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 8/9/2016 Scan Time: 10:25 AM Logfile: mbamPublisher.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.08.09.04 Rootkit Database: v2016.05.27.01 License: Premium Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 317083 Time Elapsed: 8 min, 51 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 1 Rogue.TechSupportScam, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|NewWindowActivation, C:\Program Files\Microsoft Games\Windows Games\NewWindowActivation.exe, Quarantined, [6a9e5aefa1f99f97677423a52dd79d63] Registry Data: 0 (No malicious items detected) Folders: 1 Rogue.TechSupportScam, C:\Program Files\Microsoft Games\Windows Games, Quarantined, [6a9e5aefa1f99f97677423a52dd79d63], Files: 3 Rogue.TechSupportScam, C:\Users\{username}\Desktop\Publisher.exe, Quarantined, [6f995fea59412016914627a1eb1906fa], Rogue.TechSupportScam, C:\Program Files\Microsoft Games\Windows Games\test1.bat, Quarantined, [6a9e5aefa1f99f97677423a52dd79d63], Rogue.TechSupportScam, C:\Program Files\Microsoft Games\Windows Games\NewWindowActivation.exe, Quarantined, [6a9e5aefa1f99f97677423a52dd79d63], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  15. What is FreeDriverMaps? The Malwarebytes research team has determined that FreeDriverMaps is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This one also displays advertisements. How do I know if my computer is affected by FreeDriverMaps? You may see this entry in your list of installed software: and this browser window opens after the install: How did FreeDriverMaps get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was bundled with other software. How do I remove FreeDriverMaps? Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program. Please download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-{version}.exe and follow the prompts to install the program. At the end, be sure a check-mark is placed next to: Launch Malwarebytes Anti-Malware Then click Finish. Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu. If an update is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of FreeDriverMaps? No, Malwarebytes' Anti-Malware removes FreeDriverMaps completely. Use the built-in uninstaller from the installed Software and Features list before or after the scan. How would the full version of Malwarebytes Anti-Malware help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the FreeDriverMaps hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.searchfdm.com?uid=87294251-9933-43ea-9ace-f2413531c093&uc=20160808&source=bing-bb8&ap=appfocus63&i_id=maps_appfocus63 () C:\Users\{username}\AppData\Local\uninstall.exe FreeDriverMaps (HKCU\...\FreeDriverMaps) (Version: - Express Software) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- In the existing folder C:\Users\{username}\AppData\Local Adds the file uninstall.exe"="8/8/2016 6:08 PM, 57870 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\ak] "Url"="REG_SZ", "http://imp.searchfdm.com/impression.do?&user_id=87294251-9933-43ea-9ace-f2413531c093&subid=20160808&source=bing-bb8&useragent=WindowsNT6.1;Trident/7.0;&adprovider=appfocus63&implementation_id=maps_appfocus63" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.searchfdm.com?uid=87294251-9933-43ea-9ace-f2413531c093&uc=20160808&source=bing-bb8&ap=appfocus63&i_id=maps_appfocus63" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch] "UpgradeTime REG_BINARY, .... ==> REG_BINARY, .... [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\FreeDriverMaps] "DisplayName"="REG_SZ", "FreeDriverMaps" "Home"="REG_SZ", "http://search.searchfdm.com?uid=87294251-9933-43ea-9ace-f2413531c093&uc=20160808&source=bing-bb8&ap=appfocus63&i_id=maps_appfocus63" "Implementation"="REG_SZ", "$implementation" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Local" "InstallSource"="REG_SZ", "C:\Users\{username}\AppData\Local" "Publisher"="REG_SZ", "Express Software" "UninstallString"="REG_SZ", "C:\Users\{username}\AppData\Local\uninstall.exe" "Userclass"="REG_SZ", "20160808" "UserId"="REG_SZ", "87294251-9933-43ea-9ace-f2413531c093" Malwarebytes Anti-Malware log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 8/8/2016 Scan Time: 6:17 PM Logfile: MBAMFreeDriverMaps.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.08.08.07 Rootkit Database: v2016.05.27.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 317011 Time Elapsed: 8 min, 55 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 1 PUP.Optional.YourSpeedTestCenter, C:\Users\{username}\Desktop\SETUP.EXE, Quarantined, [9314b296f9a15adc4a5a03e7cd34dd23], Physical Sectors: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.