Adware.GorillaPrice

Short bio

Adware.GorillaPrice is Malwarebytes’ detection for standalone installers of a family of adware that use a service and several browser extensions to show advertisements on the affected Windows computer.

Symptoms

Systems on which Adware.GorillaPrice is active may notice advertisements both in newly-opened tabs as well as advertisements in open tabs not originating from the sites that are open.

Protection

Malwarebytes protects users from Adware.GorillaPrice with its real-time protection technology.

Malwarebytes blocks Adware.GorillaPrice

Remediation

Malwarebytes can detect and remove Adware.GorillaPrice without further user interaction.

1. Please download Malwarebytes to your desktop.
2. Double-click MBSetup.exe and follow the prompts to install the program.
3. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen.
4. Click on the Get started button.
5. Click Scan to start a Threat Scan.
6. Click Quarantine to remove the found threats.
7. Reboot the system if prompted to complete the removal process.

Malwarebytes removal log

An example of a Malwarebytes removal log from a system affected by Adware.GorillaPrice:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 5/24/17
Scan Time: 8:59 AM
Log File: mbamSavingsCool.txt
Administrator: Yes

-Software Information-
Version: 3.1.2.1733
Components Version: 1.0.122
Update Package Version: 1.0.2009
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {computername}\{username}

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 332294
Threats Detected: 12
Threats Quarantined: 12
Time Elapsed: 1 min, 22 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 1
Adware.GorillaPrice, C:\PROGRAMDATA\MICROSOFT\WINDOWS\NETWORKCACHEMANAGER\NTCACHE.EXE, Quarantined, [1652], [401367],1.0.2009

Module: 1
Adware.GorillaPrice, C:\PROGRAMDATA\MICROSOFT\WINDOWS\NETWORKCACHEMANAGER\NTCACHE.EXE, Quarantined, [1652], [401367],1.0.2009

Registry Key: 3
Adware.GorillaPrice, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\ntcache, Delete-on-Reboot, [1652], [401367],1.0.2009
Adware.SavingsCool.PrxySvrRST, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SavingsCool, Delete-on-Reboot, [970], [351594],1.0.2009
Adware.SavingsCool.PrxySvrRST, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NLASVC\PARAMETERS\INTERNET\MANUALPROXIES, Delete-on-Reboot, [970], [-1],0.0.0

Registry Value: 4
Adware.SavingsCool.PrxySvrRST, HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Delete-on-Reboot, [970], [-1],0.0.0
Adware.SavingsCool.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Delete-on-Reboot, [970], [-1],0.0.0
Adware.SavingsCool.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Delete-on-Reboot, [970], [-1],0.0.0
Adware.SavingsCool.PrxySvrRST, HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Delete-on-Reboot, [970], [-1],0.0.0

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 3
Adware.GorillaPrice, C:\PROGRAMDATA\MICROSOFT\WINDOWS\NETWORKCACHEMANAGER\NTCACHE.EXE, Delete-on-Reboot, [1652], [401367],1.0.2009
Adware.GorillaPrice, C:\USERS\{username}\DESKTOP\NTCACHE.EXE, Delete-on-Reboot, [1652], [401367],1.0.2009
Adware.GorillaPrice, C:\USERS\{username}\DESKTOP\NSIS.EXE, Delete-on-Reboot, [1652], [401367],1.0.2009

Physical Sector: 0
(No malicious items detected)


(end)