Adware.RunBooster

Short bio

Adware.RunBooster is Malwarebytes’ detection for a family of adware that mainly uses the Windows scheduled tasks feature to show advertisements on affected systems.

Symptoms

Users of affected systems may notice warnings during install, scheduled tasks, or an entry in installed programs and features.

Adware.RunBooster install warning

Adware.RunBooster Scheduled Task

Adware.RunBooster entry under installed Programs and Features

Protection

Malwarebytes protects users from Adware.RunBooster by using real-time protection.

Malwarebytes blocks Adware.RunBooster

Remediation

Malwarebytes can detect and remove Adware.RunBooster without further user interaction.

Please download Malwarebytes to your desktop.
Double-click MBSetup.exe and follow the prompts to install the program.
When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen.
Click on the Get started button.
Click Scan to start a Threat Scan.
Click Quarantine to remove the found threats.
Reboot the system if prompted to complete the removal process.

Malwarebytes removal log

A Malwarebytes log of removal will look similar to this:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 2/7/17
Scan Time: 9:11 AM
Logfile: mbamRunBooster.txt
Administrator: Yes

-Software Information-
Version: 3.0.5.1299
Components Version: 1.0.43
Update Package Version: 1.0.1201
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {computername}\{username}

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 359009
Time Elapsed: 2 min, 3 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 1
Adware.RunBooster, C:\PROGRAM FILES\RUNBOOSTER\RUNBOOSTERSERVICE64.EXE, Quarantined, [2278], [357591],1.0.1201

Module: 1
Adware.RunBooster, C:\PROGRAM FILES\RUNBOOSTER\RUNBOOSTERSERVICE64.EXE, Quarantined, [2278], [357591],1.0.1201

Registry Key: 3
Adware.RunBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{9475BC77-1F2B-4B71-B8C3-7702B8C4DBC9}, Delete-on-Reboot, [2278], [358296],1.0.1201
Adware.RunBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\RunBoosterUpdateTask, Delete-on-Reboot, [2278], [358287],1.0.1201
Adware.RunBooster, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\RUNBOOSTER, Delete-on-Reboot, [2278], [357591],1.0.1201

Registry Value: 2
Adware.RunBooster, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{9475BC77-1F2B-4B71-B8C3-7702B8C4DBC9}|PATH, Delete-on-Reboot, [2278], [358296],1.0.1201
Adware.RunBooster, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\RUNBOOSTER|DESCRIPTION, Delete-on-Reboot, [2278], [357591],1.0.1201

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 4
Adware.RunBooster, C:\USERS\{username}\DESKTOP\RUNBOOSTERSETUP64_3231.EXE, Delete-on-Reboot, [2278], [357686],1.0.1201
Adware.RunBooster, C:\PROGRAM FILES\RUNBOOSTER\RUNBOOSTERUPDATETASK64.EXE, Delete-on-Reboot, [2278], [357685],1.0.1201
Adware.RunBooster, C:\WINDOWS\SYSTEM32\TASKS\RUNBOOSTERUPDATETASK, Delete-on-Reboot, [2278], [357683],1.0.1201
Adware.RunBooster, C:\PROGRAM FILES\RUNBOOSTER\RUNBOOSTERSERVICE64.EXE, Delete-on-Reboot, [2278], [357591],1.0.1201

Physical Sector: 0
(No malicious items detected)


(end)

Traces/IOCs

You may see these entries in FRST logs:

 (SkyNET Corporation) C:\Program Files\RunBooster\RunBoosterService64.exe
 R2 RunBooster; C:\Program Files\RunBooster\RunBoosterService64.exe [286720 2017-02-07] (SkyNET Corporation) [File not signed]
 R2 WinDivert1.2; C:\Windows\system32\drivers\WinDivert64.sys [37552 2017-02-07] (Basil)
 (Basil) C:\Windows\system32\Drivers\WinDivert64.sys
 C:\Windows\System32\Tasks\RunBoosterUpdateTask
 C:\Program Files\RunBooster

RunBooster (HKLM\...\RunBooster) (Version: 1.0.3 - SkyNET Corporation) <==== ATTENTION
Task: {9475BC77-1F2B-4B71-B8C3-7702B8C4DBC9} - System32\Tasks\RunBoosterUpdateTask => C:\Program Files\RunBooster\RunBoosterUpdateTask64.exe [2017-02-07] (SkyNET Corporation) <==== ATTENTION
() C:\Program Files\RunBooster\WinDivert.dll