What is PCFixer?
The Malwarebytes research team has determined that PCFixer is a fake registry cleaner. These so-called "registry cleaners" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.
More information can be found on our Malwarebytes Labs blog.
How do I know if I am infected with PCFixer?
This is how the main screen of the registry cleaning application looks:
You will find these icons in your taskbar and on your desktop:
And see these warnings during install:
and these screens during "operations":
You may see this entry in your list of installed programs:
How did PCFixer get on my computer?
These so-called registry cleaners use different methods of getting installed. This particular one was bundled by other software.
How do I remove PCFixer?
Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application.
- Please download Malwarebytes Anti-Malware to your desktop.
- Double-click mbam-setup-{version}.exe and follow the prompts to install the program.
- At the end, be sure a check-mark is placed next to:
Launch Malwarebytes Anti-Malware - Then click Finish.
- Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu.
- If an update is available, it will be implemented before the rest of the scanning procedure.
- When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
- Restart your computer when prompted to do so.
- No, Malwarebytes' Anti-Malware removes PCFixer completely.
We hope our application and this guide have helped you eradicate this registry cleaner.
As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the PCFixer installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late.
Technical details for experts
You may see these entries in FRST logs:
() C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer\Pcfixer.exe
() C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer\background\tascmgr.exe
Startup: C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tascmgr.lnk [2016-11-29]
ShortcutTarget: tascmgr.lnk -> C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer\background\tascmgr.exe ()
C:\Users\{username}\AppData\Roaming\Pcfixer
Pcfixer (HKLM-x32\...\{C93E4310-59BB-48A5-B41D-2D03461DE7DA}) (Version: 1.0.0 - Pcfixer)Alterations made by the installer:
File system details [View: All details] (Selection)
---------------------------------------------------
Adds the folder C:\Users\{username}\AppData\Roaming\Microsoft\Installer\{C93E4310-59BB-48A5-B41D-2D03461DE7DA}
Adds the file _advantage_protection.exe"="11/29/2016 9:04 AM, 370070 bytes, RA
In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Adds the file tascmgr.lnk"="11/29/2016 9:04 AM, 1192 bytes, A
Adds the folder C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer
Adds the file Interop.Scripting.dll"="7/21/2016 3:47 AM, 32768 bytes, A
Adds the file Pcfixer.exe"="9/2/2016 8:01 PM, 1635328 bytes, A
Adds the file Pcfixer.exe.config"="9/2/2016 7:36 PM, 638 bytes, A
Adds the file Pcfixer.pdb"="9/2/2016 8:01 PM, 226816 bytes, A
Adds the file Pcfixer.vshost.exe"="9/2/2016 8:01 PM, 11608 bytes, A
Adds the file Pcfixer.vshost.exe.config"="9/2/2016 7:36 PM, 638 bytes, A
Adds the file Pcfixer.xml"="9/2/2016 8:01 PM, 38508 bytes, A
Adds the file PlatformInfo.dll"="7/10/2016 5:00 PM, 27136 bytes, A
Adds the folder C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer\background
Adds the file Interop.IWshRuntimeLibrary.dll"="7/11/2016 12:18 PM, 49152 bytes, A
Adds the file Interop.Scripting.dll"="7/11/2016 12:09 PM, 32768 bytes, A
Adds the file PlatformInfo.dll"="7/10/2016 5:00 PM, 27136 bytes, A
Adds the file tascmgr.exe"="9/2/2016 7:44 PM, 80896 bytes, A
Adds the file tascmgr.exe.config"="9/2/2016 7:11 PM, 638 bytes, A
Adds the folder C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer 1.0.0\install\61DE7DA
In the existing folder C:\Windows\Installer
Adds the file fd8c6.msi"="9/2/2016 8:02 PM, 1008128 bytes, A
Adds the file SourceHash{C93E4310-59BB-48A5-B41D-2D03461DE7DA}"="11/29/2016 9:04 AM, 20480 bytes, A
Registry details [View: All details] (Selection)
------------------------------------------------
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Users\{username}\AppData\Roaming\Microsoft\Installer\"="REG_SZ", ""
"C:\Users\{username}\AppData\Roaming\Microsoft\Installer\{C93E4310-59BB-48A5-B41D-2D03461DE7DA}\"="REG_SZ", ""
"C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer\"="REG_SZ", ""
"C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer\background\"="REG_SZ", ""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7610A02F49FD74643AD9602BCB609CE0]
"0134E39CBB955A844BD1D23064D17EAD"="REG_SZ", ""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\{user SID}\Components\63844A0F321E4D4428F080F66C880E10]
"0134E39CBB955A844BD1D23064D17EAD"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer\background\tascmgr.exe.config"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\{user SID}\Components\656D3794EF0D322409DC00E1C1ADEF6E]
"0134E39CBB955A844BD1D23064D17EAD"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer\Interop.Scripting.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\{user SID}\Components\766CA66E520D1D34FB2A212E1074F203]
"0134E39CBB955A844BD1D23064D17EAD"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer\Pcfixer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\{user SID}\Components\88ECC67D20D898A4E801371C3BB3EBF9]
"0134E39CBB955A844BD1D23064D17EAD"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer\background\Interop.IWshRuntimeLibrary.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\{user SID}\Components\90965393EE79AEF44850BDAFBCCBF004]
"0134E39CBB955A844BD1D23064D17EAD"="REG_SZ", "01:\Software\Caphyon\Advanced Installer\LZMA\{C93E4310-59BB-48A5-B41D-2D03461DE7DA}\1.0.0\AI_ExePath"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\{user SID}\Components\9C7D91EE3FFC8D542A51E0742B8A4C7B]
"0134E39CBB955A844BD1D23064D17EAD"="REG_SZ", "01:\Software\Pcfixer\Pcfixer\Version"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\{user SID}\Components\A9F67C979FB674B47AF3ED75A50F58CE]
"0134E39CBB955A844BD1D23064D17EAD"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer\background\Interop.Scripting.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\{user SID}\Components\B323405CA6EF84A418AC7E11B89CF539]
"0134E39CBB955A844BD1D23064D17EAD"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer\Pcfixer.vshost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\{user SID}\Components\BDDE86395CF7E68409FC60A76F4F007A]
"0134E39CBB955A844BD1D23064D17EAD"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer\background\PlatformInfo.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\{user SID}\Components\D275122AB3AB3584FAE07C614F584090]
"0134E39CBB955A844BD1D23064D17EAD"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer\background\tascmgr.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\{user SID}\Components\EA9DB0FA86A5FCD47B135E77457EEEC4]
"0134E39CBB955A844BD1D23064D17EAD"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer\Pcfixer.exe.config"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\{user SID}\Components\EABE2C9004F62B54DAD8D1489157266A]
"0134E39CBB955A844BD1D23064D17EAD"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer\PlatformInfo.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\{user SID}\Products\0134E39CBB955A844BD1D23064D17EAD\Features]
"MainFeature"="REG_SZ", "8[(EvF3J-=,t9cKYl?[!~_`Tu`z.N=1@0p=U8E(dtqr.OvlU4@E3O8D7yV$u`y=ChzyHs?nB1i(qM+GWhO_[?^sr99OO`_,Z)V8sRvg's.=il9%!(aq{wEQ3oh28n2U?z?Q3o2gvJ!E[l&)=a^!c!AoXJUNJ*gf@5%b.&{p&J=Z(9ORkbMP^CG)HWzxh??_e^6OgHFb^qZ6,]e+u8?ow9C*Z}Eu%_SsH6=B7cA.4+^yUU*Z8"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\{user SID}\Products\0134E39CBB955A844BD1D23064D17EAD\InstallProperties]
"AuthorizedCDFPrefix"="REG_SZ", ""
"Comments"="REG_SZ", "This installer database contains the logic and data required to install Pcfixer."
"Contact"="REG_SZ", ""
"DisplayName"="REG_SZ", "Pcfixer"
"DisplayVersion"="REG_SZ", "1.0.0"
"EstimatedSize"="REG_DWORD", 2122
"HelpLink"="REG_SZ", ""
"HelpTelephone"="REG_SZ", ""
"InstallDate"="REG_SZ", "20161129"
"InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer\"
"InstallSource"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer 1.0.0\install\61DE7DA\"
"Language"="REG_DWORD", 1033
"LocalPackage"="REG_SZ", "C:\Windows\Installer\fd8c6.msi"
"ModifyPath"="REG_EXPAND_SZ, "MsiExec.exe /I{C93E4310-59BB-48A5-B41D-2D03461DE7DA}"
"Publisher"="REG_SZ", "Pcfixer"
"Readme"="REG_SZ", ""
"Size"="REG_SZ", ""
"UninstallString"="REG_EXPAND_SZ, "MsiExec.exe /I{C93E4310-59BB-48A5-B41D-2D03461DE7DA}"
"URLInfoAbout"="REG_SZ", ""
"URLUpdateInfo"="REG_SZ", ""
"Version"="REG_DWORD", 16777216
"VersionMajor"="REG_DWORD", 1
"VersionMinor"="REG_DWORD", 0
"WindowsInstaller"="REG_DWORD", 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{C93E4310-59BB-48A5-B41D-2D03461DE7DA}]
"AuthorizedCDFPrefix"="REG_SZ", ""
"Comments"="REG_SZ", "This installer database contains the logic and data required to install Pcfixer."
"Contact"="REG_SZ", ""
"DisplayName"="REG_SZ", "Pcfixer"
"DisplayVersion"="REG_SZ", "1.0.0"
"EstimatedSize"="REG_DWORD", 2122
"HelpLink"="REG_SZ", ""
"HelpTelephone"="REG_SZ", ""
"InstallDate"="REG_SZ", "20161129"
"InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer\"
"InstallSource"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer 1.0.0\install\61DE7DA\"
"Language"="REG_DWORD", 1033
"ModifyPath"="REG_EXPAND_SZ, "MsiExec.exe /I{C93E4310-59BB-48A5-B41D-2D03461DE7DA}"
"Publisher"="REG_SZ", "Pcfixer"
"Readme"="REG_SZ", ""
"Size"="REG_SZ", ""
"UninstallString"="REG_EXPAND_SZ, "MsiExec.exe /I{C93E4310-59BB-48A5-B41D-2D03461DE7DA}"
"URLInfoAbout"="REG_SZ", ""
"URLUpdateInfo"="REG_SZ", ""
"Version"="REG_DWORD", 16777216
"VersionMajor"="REG_DWORD", 1
"VersionMinor"="REG_DWORD", 0
"WindowsInstaller"="REG_DWORD", 1
[HKEY_CURRENT_USER\Software\Caphyon\Advanced Installer\LZMA\{C93E4310-59BB-48A5-B41D-2D03461DE7DA}\1.0.0]
"AI_ExePath"="REG_SZ", "C:\Users\{username}\Desktop\WRCFree.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Installer\Features\0134E39CBB955A844BD1D23064D17EAD]
"MainFeature"="REG_SZ", ""
[HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\0134E39CBB955A844BD1D23064D17EAD]
"AdvertiseFlags"="REG_DWORD", 388
"Assignment"="REG_DWORD", 0
"AuthorizedLUAApp"="REG_DWORD", 0
"Clients"="REG_MULTI_SZ, ": "
"DeploymentFlags"="REG_DWORD", 2
"InstanceType"="REG_DWORD", 0
"Language"="REG_DWORD", 1033
"PackageCode"="REG_SZ", "B5902C85C53FE4C49B7C8A6882D1293D"
"ProductIcon"="REG_EXPAND_SZ, "%APPDATA%\Microsoft\Installer\{C93E4310-59BB-48A5-B41D-2D03461DE7DA}\_advantage_protection.exe"
"ProductName"="REG_SZ", "Pcfixer"
"Version"="REG_DWORD", 16777216
[HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\0134E39CBB955A844BD1D23064D17EAD\SourceList]
"LastUsedSource"="REG_EXPAND_SZ, "n;1;C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer 1.0.0\install\61DE7DA\"
"PackageName"="REG_SZ", "Pcfixer.msi"
[HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\0134E39CBB955A844BD1D23064D17EAD\SourceList\Media]
"1"="REG_SZ", ";"
"DiskPrompt"="REG_SZ", "[1]"
[HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\0134E39CBB955A844BD1D23064D17EAD\SourceList\Net]
"1"="REG_EXPAND_SZ, "C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer 1.0.0\install\61DE7DA\"
[HKEY_CURRENT_USER\Software\Pcfixer\Pcfixer]
"Path"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer\"
"Version"="REG_SZ", "1.0.0"
Malwarebytes Anti-Malware log:Malwarebytes Anti-Malware
www.malwarebytes.org
Scan Date: 12/1/2016
Scan Time: 8:56 AM
Logfile: mbamPCFixer.txt
Administrator: Yes
Version: 2.2.1.1043
Malware Database: v2016.12.01.06
Rootkit Database: v2016.11.20.01
License: Premium
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Enabled
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {username}
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 303558
Time Elapsed: 8 min, 33 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
Processes: 2
PUP.Optional.PCFixer, C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer\Pcfixer.exe, 4516, Delete-on-Reboot, [8f9b8d55a3f783b316a68c5a6f940cf4]
PUP.Optional.PCFixer, C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer\background\tascmgr.exe, 604, Delete-on-Reboot, [8f9b8d55a3f783b316a68c5a6f940cf4]
Modules: 0
(No malicious items detected)
Registry Keys: 1
PUP.Optional.PCFixer, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{C93E4310-59BB-48A5-B41D-2D03461DE7DA}, Quarantined, [81a981611d7d47efebc644a2eb1845bb],
Registry Values: 0
(No malicious items detected)
Registry Data: 0
(No malicious items detected)
Folders: 6
PUP.Optional.PCFixer, C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer, Delete-on-Reboot, [8f9b8d55a3f783b316a68c5a6f940cf4],
PUP.Optional.PCFixer, C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer\background, Delete-on-Reboot, [8f9b8d55a3f783b316a68c5a6f940cf4],
PUP.Optional.PCFixer, C:\Users\{username}\AppData\Roaming\Pcfixer, Delete-on-Reboot, [8f9b8d55a3f783b316a68c5a6f940cf4],
PUP.Optional.PCFixer, C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer 1.0.0, Quarantined, [8f9b8d55a3f783b316a68c5a6f940cf4],
PUP.Optional.PCFixer, C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer 1.0.0\install, Quarantined, [8f9b8d55a3f783b316a68c5a6f940cf4],
PUP.Optional.PCFixer, C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer 1.0.0\install\61DE7DA, Quarantined, [8f9b8d55a3f783b316a68c5a6f940cf4],
Files: 15
PUP.Optional.PCFixer, C:\Users\{username}\Desktop\WRCFree.exe, Quarantined, [fe2c79699bffe6503776dc0aaa596f91],
PUP.Optional.PCFixer, C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer\Pcfixer.vshost.exe.config, Quarantined, [8f9b8d55a3f783b316a68c5a6f940cf4],
PUP.Optional.PCFixer, C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer\Interop.Scripting.dll, Quarantined, [8f9b8d55a3f783b316a68c5a6f940cf4],
PUP.Optional.PCFixer, C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer\Pcfixer.exe, Delete-on-Reboot, [8f9b8d55a3f783b316a68c5a6f940cf4],
PUP.Optional.PCFixer, C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer\Pcfixer.exe.config, Quarantined, [8f9b8d55a3f783b316a68c5a6f940cf4],
PUP.Optional.PCFixer, C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer\Pcfixer.pdb, Quarantined, [8f9b8d55a3f783b316a68c5a6f940cf4],
PUP.Optional.PCFixer, C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer\Pcfixer.vshost.exe, Quarantined, [8f9b8d55a3f783b316a68c5a6f940cf4],
PUP.Optional.PCFixer, C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer\Pcfixer.xml, Quarantined, [8f9b8d55a3f783b316a68c5a6f940cf4],
PUP.Optional.PCFixer, C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer\PlatformInfo.dll, Quarantined, [8f9b8d55a3f783b316a68c5a6f940cf4],
PUP.Optional.PCFixer, C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer\background\Interop.IWshRuntimeLibrary.dll, Quarantined, [8f9b8d55a3f783b316a68c5a6f940cf4],
PUP.Optional.PCFixer, C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer\background\Interop.Scripting.dll, Quarantined, [8f9b8d55a3f783b316a68c5a6f940cf4],
PUP.Optional.PCFixer, C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer\background\PlatformInfo.dll, Quarantined, [8f9b8d55a3f783b316a68c5a6f940cf4],
PUP.Optional.PCFixer, C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer\background\tascmgr.exe, Delete-on-Reboot, [8f9b8d55a3f783b316a68c5a6f940cf4],
PUP.Optional.PCFixer, C:\Users\{username}\AppData\Roaming\Pcfixer\Pcfixer\background\tascmgr.exe.config, Quarantined, [8f9b8d55a3f783b316a68c5a6f940cf4],
PUP.Optional.PCFixer, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tascmgr.lnk, Quarantined, [72b84a98d8c296a0f9c565811fe40ef2],
Physical Sectors: 0
(No malicious items detected)
(end)As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.We use different ways of protecting your computer(s):
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention
Back to top
Sign In
Create Account
