Adware.AnonymizerGadget

Short bio

Adware.AnonymizerGadget is Malwarebytes' detection name for a family of adware that uses a proxy to deliver their advertisements.

Symptoms

GUI AnonymizerGadget

GUI AnonymizerGadget

Users may see this type of warnings during install:

install AnonymizerGadget

install AnonymizerGadget

notice this Scheduled Task:

Scheduled Task AnonymizerGadget

Scheduled Task AnonymizerGadget

and this entry in their list of installed Programs and Features:

installed AnonymizerGadget

installed AnonymizerGadget

Type and source of infection

Adware.AnonymizerGadget promises to provide users with privacy by choosing a proxy.

Adware.AnonymizerGadget is often installed by bundlers. These bundled installers are sometimes detected as Adware.Vitruvian.PrxySvrRST

Protection

block Adware.AnonymizerGadget

Malwarebytes blocks Adware.AnonymizerGadget

and by blocking their download locations:

block elhournaupload.com

Malwarebytes blocks elhournaupload.com

Remediation

Malwarebytes can detect and remove Adware.AnonymizerGadget without further user interaction.

  1. Please download Malwarebytes to your desktop.
  2. Double-click MBSetup.exe and follow the prompts to install the program.
  3. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen.
  4. Click on the Get started button.
  5. Click Scan to start a Threat Scan.
  6. Click Quarantine to remove the found threats.
  7. Reboot the system if prompted to complete the removal process.

Malwarebytes removal log

A Malwarebytes log of removal will look similar to this:

Malwarebytes
www.malwarebytes.com

-Log Details- Scan Date: 5/8/18 Scan Time: 10:32 AM Log File: 573578e3-529a-11e8-8e72-080027235d76.json Administrator: Yes

-Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.5026 License: Premium

-System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username}

-Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 238918 Threats Detected: 15 Threats Quarantined: 15 Time Elapsed: 3 min, 15 sec

-Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect

-Scan Details- Process: 1 Adware.AnonymizerGadget.PrxySvrRST, C:\USERS\{username}\APPDATA\ROAMING\AGDATA\BIN\ANONYMIZERLAUNCHER.EXE, Quarantined, [10369], [490737],1.0.5026

Module: 2 Adware.AnonymizerGadget.PrxySvrRST, C:\USERS\{username}\APPDATA\ROAMING\AGDATA\BIN\ANONYMIZERLAUNCHER.EXE, Quarantined, [10369], [490737],1.0.5026 Adware.Vitruvian.PrxySvrRST, C:\USERS\{username}\APPDATA\ROAMING\AGDATA\BIN\AGLOADER.DLL, Quarantined, [12353], [505115],1.0.5026

Registry Key: 1 Adware.AnonymizerGadget.PrxySvrRST, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NLASVC\PARAMETERS\INTERNET\MANUALPROXIES, Quarantined, [10369], [-1],0.0.0

Registry Value: 5 Adware.AnonymizerGadget.PrxySvrRST, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|AnonymizerGadget, Quarantined, [10369], [490737],1.0.5026 Adware.AnonymizerGadget.PrxySvrRST, HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [10369], [-1],0.0.0 Adware.AnonymizerGadget.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [10369], [-1],0.0.0 Adware.AnonymizerGadget.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [10369], [-1],0.0.0 Adware.AnonymizerGadget.PrxySvrRST, HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [10369], [-1],0.0.0

Registry Data: 0 (No malicious items detected)

Data Stream: 0 (No malicious items detected)

Folder: 0 (No malicious items detected)

File: 6 Adware.AnonymizerGadget.PrxySvrRST, C:\USERS\{username}\APPDATA\ROAMING\AGDATA\BIN\ANONYMIZERLAUNCHER.EXE, Quarantined, [10369], [490737],1.0.5026 Adware.Vitruvian.PrxySvrRST, C:\USERS\{username}\APPDATA\ROAMING\AGDATA\BIN\AGLOADER.DLL, Quarantined, [12353], [505115],1.0.5026 Adware.Vitruvian.PrxySvrRST, C:\USERS\{username}\DESKTOP\ANONYMIZER.EXE, Quarantined, [12353], [505115],1.0.5026 Adware.AnonymizerGadget.PrxySvrRST, C:\PROGRAM FILES (X86)\ANONYMIZERGADGET\ANONYMIZERLAUNCHER.EXE, Quarantined, [10369], [490738],1.0.5026 Adware.Vitruvian.PrxySvrRST, C:\PROGRAM FILES (X86)\ANONYMIZERGADGET\AGUTILS.DLL, Quarantined, [12353], [505115],1.0.5026 Adware.Vitruvian.PrxySvrRST, C:\PROGRAM FILES (X86)\ANONYMIZERGADGET\AGLOADER.DLL, Quarantined, [12353], [505115],1.0.5026

Physical Sector: 0 (No malicious items detected)

(end)

Traces/IOCs

You may see these entries in FRST logs:

(Jetico ltd) C:\Users\{username}\AppData\Roaming\AGData\bin\AnonymizerLauncher.exe
HKLM-x32\...\Run: [AnonymizerGadget] => C:\Users\{username}\AppData\Roaming\AGData\bin\AnonymizerLauncher.exe [347784 2018-05-08] (Jetico ltd)
C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AnonymizerGadget
C:\Users\{username}\AppData\Roaming\AGData
C:\Windows\System32\Tasks\AGProxyCheck
C:\Program Files (x86)\AnonymizerGadget

AnonymizerGadget (HKCU\...\AnonymizerGadget) (Version: 1 - Jetico lim) Task: {F33953EB-E849-492E-9A08-26F583D2EACB} - System32\Tasks\AGProxyCheck => C:\Program

Associated threats

  • Adware.AnonymizerGadget.PrxySvrRST
  • Adware.Vitruvian
  • Adware.Vitruvian.PrxySvrRST

Related blog content

All about adware

Adware the series, part 2 (proxies)

Select your language

New Buy Online Partner Icon Warning Icon Edge icon