What is ActSys?
The Malwarebytes research team has determined that ActSys is adware. These adware applications display advertisements not originating from the sites you are browsing.
How do I know if my computer is affected by ActSys?
You may see this entry in your list of installed programs:
How did ActSys get on my computer?
Adware applications use different methods for distributing themselves. This particular one was bundled with other software.
How do I remove ActSys?
Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.
- Please download Malwarebytes Anti-Malware to your desktop.
- Double-click mbam-setup-version.exe and follow the prompts to install the program.
- At the end, be sure a check-mark is placed next to the following:
- Enable free trial of Malwarebytes Anti-Malware Premium
- Launch Malwarebytes Anti-Malware
- Then click Finish.
- If an update is found, you will be prompted to download and install the latest version.
- Once the program has loaded, select Scan now. Or select the Threat Scan from the Scan menu.
- When the scan is complete , make sure that everything is set to "Quarantine", and click Apply Actions.
- Reboot your computer if prompted.
- No, Malwarebytes' Anti-Malware removes ActSys completely.
We hope our application and this guide have helped you eradicate this adware.
As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the ActSys adware. It would have warned you before the rogue could install itself, giving you a chance to stop it before it became too late.
Technical details for experts
Possible signs in FRST logs:
() C:\Program Files (x86)\ActSys\ActSys.exe R2 ActSys; C:\Program Files (x86)\ActSys\ActSys.exe [452664 2016-02-24] () R1 asfilterdrv; C:\Windows\System32\drivers\asfilterdrv.sys [57656 2016-02-24] (Windows (R) Win 7 DDK provider) C:\Program Files (x86)\ActSys (Windows (R) Win 7 DDK provider) C:\Windows\system32\Drivers\asfilterdrv.sys ActSys (HKLM-x32\...\ActSys) (Version: 2.1.0 - NINJASOFT) () C:\Program Files (x86)\ActSys\ActSys.exe () C:\Program Files (x86)\ActSys\nfapi.dll () C:\Program Files (x86)\ActSys\ProtocolFilters.dllAlterations made by the installer:
File system details [View: All details] (Selection)
---------------------------------------------------
Adds the folder C:\Program Files (x86)\ActSys
Adds the file ActSys.exe"="2/24/2016 11:09 PM, 452664 bytes, A
Adds the file libeay32.dll"="2/24/2016 11:09 PM, 1499136 bytes, A
Adds the file nfapi.dll"="2/24/2016 11:09 PM, 126976 bytes, A
Adds the file nfregdrv.exe"="2/24/2016 11:09 PM, 49152 bytes, A
Adds the file ProtocolFilters.dll"="2/24/2016 11:09 PM, 1413120 bytes, A
Adds the file remove_ActSys.exe"="3/25/2016 8:14 AM, 34782 bytes, A
Adds the file ssleay32.dll"="2/24/2016 11:09 PM, 376832 bytes, A
In the existing folder C:\Windows\System32\drivers
Adds the file asfilterdrv.sys"="2/24/2016 11:10 PM, 57656 bytes, A
Registry details [View: All details] (Selection)
------------------------------------------------
[HKEY_LOCAL_MACHINE\SOFTWARE\ActSys]
"InstID"="REG_SZ", "AKeMrOsZjSuhzCnEkxfKdoKKZa3q3mn1"
"Version"="REG_SZ", "2.1.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ActSys]
"Comments"="REG_SZ", "Browse safe online with our product! It alerts you if a page is harmful for your computer (Build ID: tO8kyrdAFHApzvcfzVvji4NnQsP9)"
"DisplayName"="REG_SZ", "ActSys"
"DisplayVersion"="REG_SZ", "2.1.0"
"Publisher"="REG_SZ", "NINJASOFT"
"QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\ActSys\remove_ActSys.exe" /S"
"UninstallString"="REG_SZ", ""C:\Program Files (x86)\ActSys\remove_ActSys.exe" /S"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ActSys]
"DisplayName"="REG_SZ", "ActSys"
"ErrorControl"="REG_DWORD", 1
"ImagePath"="REG_EXPAND_SZ, "C:\Program Files (x86)\ActSys\ActSys.exe"
"ObjectName"="REG_SZ", "LocalSystem"
"Start"="REG_DWORD", 2
"Type"="REG_DWORD", 16
"WOW64"="REG_DWORD", 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\asfilterdrv]
"DisplayName"="REG_SZ", "asfilterdrv"
"ErrorControl"="REG_DWORD", 1
"Group"="REG_SZ", "PNP_TDI"
"ImagePath"="REG_EXPAND_SZ, "system32\drivers\asfilterdrv.sys"
"Start"="REG_DWORD", 1
"Tag"="REG_DWORD", 11
"Type"="REG_DWORD", 1
"WOW64"="REG_DWORD", 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\asfilterdrv\Enum]
"0"="REG_SZ", "Root\LEGACY_ASFILTERDRV\0000"
"Count"="REG_DWORD", 1
"NextInstance"="REG_DWORD", 1
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"="REG_DWORD", 0
Malwarebytes Anti-Malware log:Malwarebytes Anti-Malware
www.malwarebytes.org
Scan Date: 3/25/2016
Scan Time: 8:41 AM
Logfile: mbamActSys.txt
Administrator: Yes
Version: 2.2.1.1043
Malware Database: v2016.03.25.01
Rootkit Database: v2016.03.12.01
License: Premium
Malware Protection: Disabled
Malicious Website Protection: Enabled
Self-protection: Enabled
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {username}
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 372382
Time Elapsed: 10 min, 7 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
Processes: 2
Adware.BrAppWare, C:\Program Files (x86)\ActSys\ActSys.exe, 3516, Delete-on-Reboot, [46af0f7cbadfd561f44b0be241c03ec2]
PUP.Optional.ActSys, C:\Program Files (x86)\ActSys\ActSys.exe, 3516, Delete-on-Reboot, [25d03259cccdef475c2ab244ad561de3]
Modules: 2
PUP.Optional.ActSys, C:\Program Files (x86)\ActSys\nfapi.dll, Delete-on-Reboot, [b73e6823c0d94ee86cb10bf63cc823dd],
PUP.Optional.ActSys, C:\Program Files (x86)\ActSys\ProtocolFilters.dll, Delete-on-Reboot, [b73e6823c0d94ee86cb10bf63cc823dd],
Registry Keys: 5
Adware.BrAppWare, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\ActSys, Quarantined, [46af0f7cbadfd561f44b0be241c03ec2],
PUP.Optional.ActSys, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\ActSys, Quarantined, [25d03259cccdef475c2ab244ad561de3],
PUP.Optional.ActSys, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ActSys, Quarantined, [b73e6823c0d94ee86cb10bf63cc823dd],
PUP.Optional.ASFilter, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\asfilterdrv, Quarantined, [4ea76229eeab1026ee517192659fc53b],
PUP.Optional.BrAdware, HKLM\SOFTWARE\ACTSYS, Quarantined, [28cd1a71d9c0b97d655a8e00d43048b8],
Registry Values: 2
PUP.Optional.BrAdware, HKLM\SOFTWARE\ACTSYS|InstID, AKeMrOsZjSuhzCnEkxfKdoKKZa3q3mn1, Quarantined, [28cd1a71d9c0b97d655a8e00d43048b8]
PUP.Optional.BrAdware, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\ACTSYS|ImagePath, C:\Program Files (x86)\ActSys\ActSys.exe, Quarantined, [62930f7ccfca1620566a06883bc936ca]
Registry Data: 0
(No malicious items detected)
Folders: 4
PUP.Optional.ActSys, C:\Program Files (x86)\ActSys, Delete-on-Reboot, [b73e6823c0d94ee86cb10bf63cc823dd],
PUP.Optional.BrAdware, C:\Users\{username}\AppData\Local\Temp\ActSys\SSL, Quarantined, [668f1d6e3e5b1f1713abd4ba749058a8],
PUP.Optional.BrAdware, C:\Users\{username}\AppData\Local\Temp\ActSys\SSL\nss, Quarantined, [668f1d6e3e5b1f1713abd4ba749058a8],
PUP.Optional.BrAdware, C:\Users\{username}\AppData\Local\Temp\ActSys, Quarantined, [668f1d6e3e5b1f1713abd4ba749058a8],
Files: 20
PUP.Optional.ASFilter, C:\Windows\System32\drivers\asfilterdrv.sys, Delete-on-Reboot, [3ba8b7859ad35cdbb9049d1261801928],
Adware.BrAppWare, C:\Program Files (x86)\ActSys\ActSys.exe, Delete-on-Reboot, [46af0f7cbadfd561f44b0be241c03ec2],
PUP.Optional.ActSys, C:\Program Files (x86)\ActSys\ActSys.exe, Delete-on-Reboot, [25d03259cccdef475c2ab244ad561de3],
PUP.Optional.ActSys, C:\Program Files (x86)\ActSys\nfregdrv.exe, Quarantined, [b73e6823c0d94ee86cb10bf63cc823dd],
PUP.Optional.ActSys, C:\Program Files (x86)\ActSys\libeay32.dll, Quarantined, [b73e6823c0d94ee86cb10bf63cc823dd],
PUP.Optional.ActSys, C:\Program Files (x86)\ActSys\nfapi.dll, Delete-on-Reboot, [b73e6823c0d94ee86cb10bf63cc823dd],
PUP.Optional.ActSys, C:\Program Files (x86)\ActSys\ProtocolFilters.dll, Delete-on-Reboot, [b73e6823c0d94ee86cb10bf63cc823dd],
PUP.Optional.ActSys, C:\Program Files (x86)\ActSys\remove_ActSys.exe, Quarantined, [b73e6823c0d94ee86cb10bf63cc823dd],
PUP.Optional.ActSys, C:\Program Files (x86)\ActSys\ssleay32.dll, Quarantined, [b73e6823c0d94ee86cb10bf63cc823dd],
PUP.Optional.BrAdware, C:\Users\{username}\AppData\Local\Temp\ActSys\SSL\actssl.cer, Quarantined, [668f1d6e3e5b1f1713abd4ba749058a8],
PUP.Optional.BrAdware, C:\Users\{username}\AppData\Local\Temp\ActSys\SSL\import.bat, Quarantined, [668f1d6e3e5b1f1713abd4ba749058a8],
PUP.Optional.BrAdware, C:\Users\{username}\AppData\Local\Temp\ActSys\SSL\import_root_cert.exe, Quarantined, [668f1d6e3e5b1f1713abd4ba749058a8],
PUP.Optional.BrAdware, C:\Users\{username}\AppData\Local\Temp\ActSys\SSL\nss\certutil.exe, Quarantined, [668f1d6e3e5b1f1713abd4ba749058a8],
PUP.Optional.BrAdware, C:\Users\{username}\AppData\Local\Temp\ActSys\SSL\nss\mozcrt19.dll, Quarantined, [668f1d6e3e5b1f1713abd4ba749058a8],
PUP.Optional.BrAdware, C:\Users\{username}\AppData\Local\Temp\ActSys\SSL\nss\nspr4.dll, Quarantined, [668f1d6e3e5b1f1713abd4ba749058a8],
PUP.Optional.BrAdware, C:\Users\{username}\AppData\Local\Temp\ActSys\SSL\nss\nss3.dll, Quarantined, [668f1d6e3e5b1f1713abd4ba749058a8],
PUP.Optional.BrAdware, C:\Users\{username}\AppData\Local\Temp\ActSys\SSL\nss\plc4.dll, Quarantined, [668f1d6e3e5b1f1713abd4ba749058a8],
PUP.Optional.BrAdware, C:\Users\{username}\AppData\Local\Temp\ActSys\SSL\nss\plds4.dll, Quarantined, [668f1d6e3e5b1f1713abd4ba749058a8],
PUP.Optional.BrAdware, C:\Users\{username}\AppData\Local\Temp\ActSys\SSL\nss\smime3.dll, Quarantined, [668f1d6e3e5b1f1713abd4ba749058a8],
PUP.Optional.BrAdware, C:\Users\{username}\AppData\Local\Temp\ActSys\SSL\nss\softokn3.dll, Quarantined, [668f1d6e3e5b1f1713abd4ba749058a8],
Physical Sectors: 0
(No malicious items detected)
(end)As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.We use different ways of protecting your computer(s):
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention
Back to top
Sign In
Create Account
