What is Book Source?
The Malwarebytes research team has determined that Book Source is a Tech Support Scam. These scammers try to convince you to dial their number, so they can steal your data or get you to pay for their "services", which are ususlly not necessary or overly expensive.
This one uses a fake Windows Activation warning to lure you into calling them.
How do I know if my computer is affected by Book Source?
During install you may see this warning:
and afterwards you may this entry in your list of installed programs:
and these icons in your taskbar and on your desktop:
How did Book Source get on my computer?
Tech Support Scammers use different methods for distributing themselves. This particular one was offered as an eBook download utility.
How do I remove Book Source?
Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application.
- Please download Malwarebytes Anti-Malware to your desktop.
- Double-click mbam-setup-version.exe and follow the prompts to install the program.
- At the end, be sure a check-mark is placed next to the following:
- Enable free trial of Malwarebytes Anti-Malware Premium
- Launch Malwarebytes Anti-Malware
- Then click Finish.
- If an update is found, you will be prompted to download and install the latest version.
- Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu.
- When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
- Restart your computer when prompted to do so.
- No, Malwarebytes' Anti-Malware removes Book Source completely.
We hope our application and this guide have helped you eradicate this potentially unwanted application.
As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Book Source scammer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late.
Technical details for experts
You may see these entries in FRST logs:
() C:\Windows\Book Source\Book Source\Book Source.exe HKCU\...\Run: [Book Source] => C:\Windows\Book Source\Book Source\Book Source.exe [526848 2016-03-21] () C:\Windows\Book Source Book Source 1.1.1.1 (HKLM-x32\...\Book Source 1.1.1.1) (Version: 1.1.1.1 - Book Source)Alterations made by the installer:
File system details [View: All details] (Selection) --------------------------------------------------- In the existing folder C:\Users\{username}\Desktop Adds the file Book Source.lnk"="3/23/2016 8:37 AM, 1961 bytes, A Adds the folder C:\Windows\Book Source\Book Source Adds the file Book Source.exe"="3/21/2016 2:19 PM, 526848 bytes, A Adds the file Uninstall.exe"="3/23/2016 8:37 AM, 264754 bytes, A Adds the file Uninstall.ini"="3/23/2016 8:37 AM, 2822 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Book Source 1.1.1.1] "DisplayIcon"="REG_SZ", "C:\Windows\Book Source\Book Source\Uninstall.exe" "DisplayName"="REG_SZ", "Book Source 1.1.1.1" "DisplayVersion"="REG_SZ", "1.1.1.1" "EstimatedSize"="REG_DWORD", 773 "HelpLink"="REG_SZ", "[email protected]" "InstallDate"="REG_SZ", "20160323" "InstallLocation"="REG_SZ", "C:\Windows\Book Source\Book Source\" "InstallSource"="REG_SZ", "C:\Users\{username}1\AppData\Local\Temp\is-ET0P8.tmp\" "Language"="REG_DWORD", 1033 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Book Source" "UninstallString"="REG_SZ", "C:\Windows\Book Source\Book Source\Uninstall.exe" "URLInfoAbout"="REG_SZ", "www.booksource.info" "VersionMajor"="REG_DWORD", 1 "VersionMinor"="REG_DWORD", 1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Book Source"="REG_SZ", "C:\Windows\Book Source\Book Source\Book Source.exe"Malwarebytes Anti-Malware log:
Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 3/23/2016 Scan Time: 9:06 AM Logfile: mbamBookSource.txt Administrator: Yes Version: 2.2.0.1024 Malware Database: v2016.03.23.02 Rootkit Database: v2016.03.12.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Disabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 371624 Time Elapsed: 5 min, 8 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 1 PUP.Optional.BookSource, C:\Windows\Book Source\Book Source\Book Source.exe, 1516, Delete-on-Reboot, [af7f7d0e36630531964f5b39a16321df] Modules: 0 (No malicious items detected) Registry Keys: 1 PUP.Optional.BookSource, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Book Source 1.1.1.1, Quarantined, [af7f7d0e36630531964f5b39a16321df], Registry Values: 1 PUP.Optional.BookSource, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Book Source, C:\Windows\Book Source\Book Source\Book Source.exe, Quarantined, [af7f7d0e36630531964f5b39a16321df] Registry Data: 0 (No malicious items detected) Folders: 2 PUP.Optional.BookSource, C:\Windows\Book Source\Book Source, Delete-on-Reboot, [af7f7d0e36630531964f5b39a16321df], PUP.Optional.BookSource, C:\Windows\Book Source, Delete-on-Reboot, [af7f7d0e36630531964f5b39a16321df], Files: 5 Rogue.TechSupportScam, C:\Users\{username}\Desktop\component.exe, Quarantined, [240a4e3dbedb9b9bb81558bb986a8878], PUP.Optional.BookSource, C:\Users\{username}\Desktop\Book Source.lnk, Quarantined, [9a94ddae5346d0663c98513c1fe523dd], PUP.Optional.BookSource, C:\Windows\Book Source\Book Source\Uninstall.ini, Quarantined, [af7f7d0e36630531964f5b39a16321df], PUP.Optional.BookSource, C:\Windows\Book Source\Book Source\Book Source.exe, Delete-on-Reboot, [af7f7d0e36630531964f5b39a16321df], PUP.Optional.BookSource, C:\Windows\Book Source\Book Source\Uninstall.exe, Quarantined, [af7f7d0e36630531964f5b39a16321df], Physical Sectors: 0 (No malicious items detected) (end)As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention