Adware.RunBooster
Short bio
Adware.RunBooster is Malwarebytes' detection for a family of adwarethat mainly uses the Windows scheduled tasksfeature to show advertisements on affected systems.
Symptoms
Adware.RunBooster install warning
Adware.RunBooster Scheduled Task
Adware.RunBooster entry under installed Programs and Features
Protection
Malwarebytes blocks Adware.RunBooster
Remediation
Malwarebytes can detect and remove Adware.RunBooster without further user interaction.
- Please download Malwarebytesto your desktop.
- Double-click MBSetup.exeand follow the prompts to install the program.
- When your Malwarebytes for Windowsinstallation completes, the program opens to the Welcome to Malwarebytes screen.
- Click on the Get started button.
- Click Scan to start a Threat Scan.
- Click Quarantineto remove the found threats.
- Reboot the system if prompted to complete the removal process.
Malwarebytes removal log
A Malwarebytes log of removal will look similar to this:
Malwarebyteswww.malwarebytes.com-Log Details-Scan Date:2/7/17Scan Time:9:11AMLogfile:mbamRunBooster.txtAdministrator:Yes-Software Information-Version:3.0.5.1299Components Version:1.0.43Update Package Version:1.0.1201License:Premium-System Information-OS:Windows 7Service Pack 1CPU:x64File System:NTFSUser:{computername}\{username}-Scan Summary-Scan Type:Threat ScanResult:CompletedObjects Scanned:359009Time Elapsed:2min,3sec-Scan Options-Memory:EnabledStartup:EnabledFilesystem:EnabledArchives:EnabledRootkits:DisabledHeuristics:EnabledPUP:EnabledPUM:Enabled-Scan Details-Process:1Adware.RunBooster,C:\PROGRAM FILES\RUNBOOSTER\RUNBOOSTERSERVICE64.EXE,Quarantined,[2278],[357591],1.0.1201Module:1Adware.RunBooster,C:\PROGRAM FILES\RUNBOOSTER\RUNBOOSTERSERVICE64.EXE,Quarantined,[2278],[357591],1.0.1201Registry Key:3Adware.RunBooster,HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{9475BC77-1F2B-4B71-B8C3-7702B8C4DBC9},Delete-on-Reboot,[2278],[358296],1.0.1201Adware.RunBooster,HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\RunBoosterUpdateTask,Delete-on-Reboot,[2278],[358287],1.0.1201Adware.RunBooster,HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\RUNBOOSTER,Delete-on-Reboot,[2278],[357591],1.0.1201Registry Value:2Adware.RunBooster,HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{9475BC77-1F2B-4B71-B8C3-7702B8C4DBC9}|PATH,Delete-on-Reboot,[2278],[358296],1.0.1201Adware.RunBooster,HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\RUNBOOSTER|DESCRIPTION,Delete-on-Reboot,[2278],[357591],1.0.1201Data Stream:0(Nomalicious items detected)Folder:0(Nomalicious items detected)File:4Adware.RunBooster,C:\USERS\{username}\DESKTOP\RUNBOOSTERSETUP64_3231.EXE,Delete-on-Reboot,[2278],[357686],1.0.1201Adware.RunBooster,C:\PROGRAM FILES\RUNBOOSTER\RUNBOOSTERUPDATETASK64.EXE,Delete-on-Reboot,[2278],[357685],1.0.1201Adware.RunBooster,C:\WINDOWS\SYSTEM32\TASKS\RUNBOOSTERUPDATETASK,Delete-on-Reboot,[2278],[357683],1.0.1201Adware.RunBooster,C:\PROGRAM FILES\RUNBOOSTER\RUNBOOSTERSERVICE64.EXE,Delete-on-Reboot,[2278],[357591],1.0.1201Physical Sector:0(Nomalicious items detected)(end)
Traces/IOCs
You may see these entries in FRST logs:
(SkyNET Corporation)C:\Program Files\RunBooster\RunBoosterService64.exe R2 RunBooster;C:\Program Files\RunBooster\RunBoosterService64.exe [2867202017-02-07](SkyNET Corporation)[File notsigned]R2 WinDivert1.2;C:\Windows\system32\drivers\WinDivert64.sys [375522017-02-07](Basil)(Basil)C:\Windows\system32\Drivers\WinDivert64.sys C:\Windows\System32\Tasks\RunBoosterUpdateTask C:\Program Files\RunBoosterRunBooster (HKLM\...\RunBooster)(Version:1.0.3-SkyNET Corporation)<====ATTENTIONTask:{9475BC77-1F2B-4B71-B8C3-7702B8C4DBC9}-System32\Tasks\RunBoosterUpdateTask =>C:\Program Files\RunBooster\RunBoosterUpdateTask64.exe [2017-02-07](SkyNET Corporation)<====ATTENTION()C:\Program Files\RunBooster\WinDivert.dll