Adware.RunBooster
Short bio
Adware.RunBooster is Malwarebytes’ detection for a family of adware that mainly uses the Windows scheduled tasks feature to show advertisements on affected systems.
Symptoms
Users of affected systems may notice warnings during install, scheduled tasks, or an entry in installed programs and features.
Adware.RunBooster install warning
Adware.RunBooster Scheduled Task
Adware.RunBooster entry under installed Programs and Features
Protection
Malwarebytes protects users from Adware.RunBooster by using real-time protection.
Malwarebytes blocks Adware.RunBooster
Remediation
Malwarebytes can detect and remove Adware.RunBooster without further user interaction.
- Please download Malwarebytes to your desktop.
- Double-click MBSetup.exe and follow the prompts to install the program.
- When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen.
- Click on the Get started button.
- Click Scan to start a Threat Scan.
- Click Quarantine to remove the found threats.
- Reboot the system if prompted to complete the removal process.
Malwarebytes removal log
A Malwarebytes log of removal will look similar to this:
Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/7/17 Scan Time: 9:11 AM Logfile: mbamRunBooster.txt Administrator: Yes -Software Information- Version: 3.0.5.1299 Components Version: 1.0.43 Update Package Version: 1.0.1201 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 359009 Time Elapsed: 2 min, 3 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 1 Adware.RunBooster, C:\PROGRAM FILES\RUNBOOSTER\RUNBOOSTERSERVICE64.EXE, Quarantined, [2278], [357591],1.0.1201 Module: 1 Adware.RunBooster, C:\PROGRAM FILES\RUNBOOSTER\RUNBOOSTERSERVICE64.EXE, Quarantined, [2278], [357591],1.0.1201 Registry Key: 3 Adware.RunBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{9475BC77-1F2B-4B71-B8C3-7702B8C4DBC9}, Delete-on-Reboot, [2278], [358296],1.0.1201 Adware.RunBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\RunBoosterUpdateTask, Delete-on-Reboot, [2278], [358287],1.0.1201 Adware.RunBooster, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\RUNBOOSTER, Delete-on-Reboot, [2278], [357591],1.0.1201 Registry Value: 2 Adware.RunBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{9475BC77-1F2B-4B71-B8C3-7702B8C4DBC9}|PATH, Delete-on-Reboot, [2278], [358296],1.0.1201 Adware.RunBooster, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\RUNBOOSTER|DESCRIPTION, Delete-on-Reboot, [2278], [357591],1.0.1201 Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 4 Adware.RunBooster, C:\USERS\{username}\DESKTOP\RUNBOOSTERSETUP64_3231.EXE, Delete-on-Reboot, [2278], [357686],1.0.1201 Adware.RunBooster, C:\PROGRAM FILES\RUNBOOSTER\RUNBOOSTERUPDATETASK64.EXE, Delete-on-Reboot, [2278], [357685],1.0.1201 Adware.RunBooster, C:\WINDOWS\SYSTEM32\TASKS\RUNBOOSTERUPDATETASK, Delete-on-Reboot, [2278], [357683],1.0.1201 Adware.RunBooster, C:\PROGRAM FILES\RUNBOOSTER\RUNBOOSTERSERVICE64.EXE, Delete-on-Reboot, [2278], [357591],1.0.1201 Physical Sector: 0 (No malicious items detected) (end)
Traces/IOCs
You may see these entries in FRST logs:
(SkyNET Corporation) C:\Program Files\RunBooster\RunBoosterService64.exe R2 RunBooster; C:\Program Files\RunBooster\RunBoosterService64.exe [286720 2017-02-07] (SkyNET Corporation) [File not signed] R2 WinDivert1.2; C:\Windows\system32\drivers\WinDivert64.sys [37552 2017-02-07] (Basil) (Basil) C:\Windows\system32\Drivers\WinDivert64.sys C:\Windows\System32\Tasks\RunBoosterUpdateTask C:\Program Files\RunBooster RunBooster (HKLM\...\RunBooster) (Version: 1.0.3 - SkyNET Corporation) <==== ATTENTION Task: {9475BC77-1F2B-4B71-B8C3-7702B8C4DBC9} - System32\Tasks\RunBoosterUpdateTask => C:\Program Files\RunBooster\RunBoosterUpdateTask64.exe [2017-02-07] (SkyNET Corporation) <==== ATTENTION () C:\Program Files\RunBooster\WinDivert.dll
