Adware.AnonymizerGadget

Short bio

Adware.AnonymizerGadget is Malwarebytes’ detection name for a family of adware that uses a proxy to deliver their advertisements.

Symptoms

Adware.AnonymizerGadget runs at boot and sets a Scheduled Task to gain persistence. The main GUI looks like this:

GUI AnonymizerGadget

GUI AnonymizerGadget

Users may see this type of warnings during install:

install AnonymizerGadget

install AnonymizerGadget

notice this Scheduled Task:

Scheduled Task AnonymizerGadget

Scheduled Task AnonymizerGadget

 

and this entry in their list of installed Programs and Features:

installed AnonymizerGadget

installed AnonymizerGadget

Type and source of infection

Adware.AnonymizerGadget promises to provide users with privacy by choosing a proxy.
Adware.AnonymizerGadget is often installed by bundlers. These bundled installers are sometimes detected as Adware.Vitruvian.PrxySvrRST

Protection

Malwarebytes protects users from Adware.AnonymizerGadget by using real-time protection,

 

block Adware.AnonymizerGadget

Malwarebytes blocks Adware.AnonymizerGadget

and by blocking their download locations:

block elhournaupload.com

Malwarebytes blocks elhournaupload.com

Remediation

Malwarebytes can detect and remove Adware.AnonymizerGadget without further user interaction.

  1. Please download Malwarebytes to your desktop.
  2. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
  3. Then click Finish.
  4. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  5. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
  6. When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  7. Restart your computer when prompted to do so.

Malwarebytes removal log

A Malwarebytes log of removal will look similar to this:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 5/8/18
Scan Time: 10:32 AM
Log File: 573578e3-529a-11e8-8e72-080027235d76.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.5026
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {computername}\{username}

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 238918
Threats Detected: 15
Threats Quarantined: 15
Time Elapsed: 3 min, 15 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 1
Adware.AnonymizerGadget.PrxySvrRST, C:\USERS\{username}\APPDATA\ROAMING\AGDATA\BIN\ANONYMIZERLAUNCHER.EXE, Quarantined, [10369], [490737],1.0.5026

Module: 2
Adware.AnonymizerGadget.PrxySvrRST, C:\USERS\{username}\APPDATA\ROAMING\AGDATA\BIN\ANONYMIZERLAUNCHER.EXE, Quarantined, [10369], [490737],1.0.5026
Adware.Vitruvian.PrxySvrRST, C:\USERS\{username}\APPDATA\ROAMING\AGDATA\BIN\AGLOADER.DLL, Quarantined, [12353], [505115],1.0.5026

Registry Key: 1
Adware.AnonymizerGadget.PrxySvrRST, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NLASVC\PARAMETERS\INTERNET\MANUALPROXIES, Quarantined, [10369], [-1],0.0.0

Registry Value: 5
Adware.AnonymizerGadget.PrxySvrRST, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|AnonymizerGadget, Quarantined, [10369], [490737],1.0.5026
Adware.AnonymizerGadget.PrxySvrRST, HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [10369], [-1],0.0.0
Adware.AnonymizerGadget.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [10369], [-1],0.0.0
Adware.AnonymizerGadget.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [10369], [-1],0.0.0
Adware.AnonymizerGadget.PrxySvrRST, HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [10369], [-1],0.0.0

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 6
Adware.AnonymizerGadget.PrxySvrRST, C:\USERS\{username}\APPDATA\ROAMING\AGDATA\BIN\ANONYMIZERLAUNCHER.EXE, Quarantined, [10369], [490737],1.0.5026
Adware.Vitruvian.PrxySvrRST, C:\USERS\{username}\APPDATA\ROAMING\AGDATA\BIN\AGLOADER.DLL, Quarantined, [12353], [505115],1.0.5026
Adware.Vitruvian.PrxySvrRST, C:\USERS\{username}\DESKTOP\ANONYMIZER.EXE, Quarantined, [12353], [505115],1.0.5026
Adware.AnonymizerGadget.PrxySvrRST, C:\PROGRAM FILES (X86)\ANONYMIZERGADGET\ANONYMIZERLAUNCHER.EXE, Quarantined, [10369], [490738],1.0.5026
Adware.Vitruvian.PrxySvrRST, C:\PROGRAM FILES (X86)\ANONYMIZERGADGET\AGUTILS.DLL, Quarantined, [12353], [505115],1.0.5026
Adware.Vitruvian.PrxySvrRST, C:\PROGRAM FILES (X86)\ANONYMIZERGADGET\AGLOADER.DLL, Quarantined, [12353], [505115],1.0.5026

Physical Sector: 0
(No malicious items detected)


(end)

Traces/IOCs

You may see these entries in FRST logs:

(Jetico ltd) C:\Users\{username}\AppData\Roaming\AGData\bin\AnonymizerLauncher.exe
HKLM-x32\...\Run: [AnonymizerGadget] => C:\Users\{username}\AppData\Roaming\AGData\bin\AnonymizerLauncher.exe [347784 2018-05-08] (Jetico ltd)
C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AnonymizerGadget
C:\Users\{username}\AppData\Roaming\AGData
C:\Windows\System32\Tasks\AGProxyCheck
C:\Program Files (x86)\AnonymizerGadget

AnonymizerGadget (HKCU\...\AnonymizerGadget) (Version: 1 - Jetico lim)
Task: {F33953EB-E849-492E-9A08-26F583D2EACB} - System32\Tasks\AGProxyCheck => C:\Program

Associated threats

  • Adware.AnonymizerGadget.PrxySvrRST
  • Adware.Vitruvian
  • Adware.Vitruvian.PrxySvrRST

Cybersecurity info you can’t do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Select your language