Removal instructions for AnonymizerGadget

Content is republished with permission from Malwarebytes.

What is AnonymizerGadget?

The Malwarebytes research team has determined that AnonymizerGadget is a "privacy optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have privacy issues. Then they try to sell you their software, claiming it will remove these problems.
This particular one offers to use proxies to hide the users' location. But the proxies are either extremely slow or need to be paid for.

How do I know if I am infected with AnonymizerGadget?

This is how the main screen of the system optimizer looks:

You will find this icon in your taskbar, and your startmenu:

and see these warnings during install:

this entry in your list of installed Programs and Features:

and this task in your list of Scheduled Tasks:

How did AnonymizerGadget get on my computer?

These so-called system optimizers use different methods of getting installed. This particular one was installed by a bundler.

How do I remove AnonymizerGadget?

Our program Malwarebytes can detect and remove this potentially unwanted application.

Please download Malwarebytes to your desktop.
Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
Then click Finish.
Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
Restart your computer when prompted to do so.

Is there anything else I need to do to get rid of AnonymizerGadget?

No, Malwarebytes removes AnonymizerGadget completely.
This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks.

How would the full version of Malwarebytes help protect me?

We hope our application and this guide have helped you eradicate this system optimizer.

As you can see below the full version of Malwarebytes would have protected you against the AnonymizerGadget installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late.

and we block access to their download locations:

Technical details for experts

You may see these entries in FRST logs:

(Jetico ltd) C:\Users\{username}\AppData\Roaming\AGData\bin\AnonymizerLauncher.exe
HKLM-x32\...\Run: [AnonymizerGadget] => C:\Users\{username}\AppData\Roaming\AGData\bin\AnonymizerLauncher.exe [347784 2018-05-08] (Jetico ltd)
C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AnonymizerGadget
C:\Users\{username}\AppData\Roaming\AGData
C:\Windows\System32\Tasks\AGProxyCheck
C:\Program Files (x86)\AnonymizerGadget

AnonymizerGadget (HKCU\...\AnonymizerGadget) (Version: 1 - Jetico lim)
Task: {F33953EB-E849-492E-9A08-26F583D2EACB} - System32\Tasks\AGProxyCheck => C:\Program

Alterations made by the installer:

File system details [View: All details] (Selection)
---------------------------------------------------
    Adds the folder C:\Program Files (x86)\AnonymizerGadget
       Adds the file AGLoader.dll"="7/3/2017 10:15 AM, 865416 bytes, A
       Adds the file AGService.exe"="7/3/2017 10:02 AM, 179720 bytes, A
       Adds the file AGUtils.dll"="7/3/2017 10:15 AM, 308872 bytes, A
       Adds the file AnonymizerLauncher.exe"="7/3/2017 10:15 AM, 347784 bytes, A
       Adds the file uninstaller.exe"="7/3/2017 10:29 AM, 122056 bytes, A
    Adds the folder C:\Users\{username}\AppData\Roaming\AGData
       Adds the file add.json"="5/8/2018 10:25 AM, 1 bytes, A
       Adds the file config.json"="5/8/2018 10:25 AM, 2651 bytes, A
    Adds the folder C:\Users\{username}\AppData\Roaming\AGData\bin
       Adds the file add.json"="5/8/2018 10:25 AM, 1 bytes, A
       Adds the file AGLoader.dll"="5/8/2018 10:24 AM, 865416 bytes, A
       Adds the file AnonymizerGadget.dll"="5/8/2018 10:25 AM, 9654408 bytes, A
       Adds the file AnonymizerGadget.zip"="5/8/2018 10:24 AM, 69984496 bytes, A
       Adds the file AnonymizerLauncher.exe"="5/8/2018 10:24 AM, 347784 bytes, A
       Adds the file cef.pak"="5/8/2018 10:24 AM, 3877890 bytes, A
       Adds the file cef.pak.info"="5/8/2018 10:24 AM, 33986 bytes, A
       Adds the file cef_100_percent.pak"="5/8/2018 10:24 AM, 658579 bytes, A
       Adds the file cef_100_percent.pak.info"="5/8/2018 10:24 AM, 33189 bytes, A
       Adds the file cef_200_percent.pak"="5/8/2018 10:24 AM, 753741 bytes, A
       Adds the file cef_200_percent.pak.info"="5/8/2018 10:24 AM, 33189 bytes, A
       Adds the file cef_300_percent.pak"="5/8/2018 10:25 AM, 52085 bytes, A
       Adds the file cef_400_percent.pak"="5/8/2018 10:25 AM, 863371 bytes, A
       Adds the file cef_extensions.pak"="5/8/2018 10:24 AM, 1888653 bytes, A
       Adds the file cef_extensions.pak.info"="5/8/2018 10:24 AM, 72939 bytes, A
       Adds the file Ceflur.dll"="5/8/2018 10:25 AM, 503432 bytes, A
       Adds the file chrome_elf.dll"="5/8/2018 10:24 AM, 510464 bytes, A
       Adds the file d3dcompiler_47.dll"="5/8/2018 10:24 AM, 3661112 bytes, A
       Adds the file devtools_resources.pak"="5/8/2018 10:24 AM, 5533735 bytes, A
       Adds the file devtools_resources.pak.info"="5/8/2018 10:24 AM, 7956 bytes, A
       Adds the file ES.png"="5/8/2018 10:25 AM, 309 bytes, A
       Adds the file icudtl.dat"="5/8/2018 10:24 AM, 10171360 bytes, A
       Adds the file keyboard_resources.pak"="5/8/2018 10:24 AM, 1454952 bytes, A
       Adds the file libcef.dll"="5/8/2018 10:24 AM, 83467776 bytes, A
       Adds the file libEGL.dll"="5/8/2018 10:24 AM, 79872 bytes, A
       Adds the file libGLESv2.dll"="5/8/2018 10:24 AM, 3723264 bytes, A
       Adds the file Native Client"="5/8/2018 10:24 AM, 685568 bytes, A
       Adds the file natives_blob.bin"="5/8/2018 10:24 AM, 175617 bytes, A
       Adds the file NL.png"="5/8/2018 10:25 AM, 186 bytes, A
       Adds the file pepflashplayer.dll"="5/8/2018 10:25 AM, 17841152 bytes, A
       Adds the file proxycheck.exe"="5/8/2018 10:25 AM, 1899144 bytes, A
       Adds the file snapshot_blob.bin"="5/8/2018 10:24 AM, 1162404 bytes, A
       Adds the file tlsr.dat"="5/8/2018 10:24 AM, 44836 bytes, A
       Adds the file v8_context_snapshot.bin"="5/8/2018 10:24 AM, 1474656 bytes, A
       Adds the file Widevine Content Decryption Module"="5/8/2018 10:24 AM, 685568 bytes, A
    Adds the folder C:\Users\{username}\AppData\Roaming\AGData\bin\locales
    Adds the folder C:\Users\{username}\AppData\Roaming\AGData\bin\WidevineCdm
       Adds the file manifest.json"="5/8/2018 10:24 AM, 688 bytes, A
    Adds the folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AnonymizerGadget
       Adds the file AnonymizerGadget.lnk"="5/8/2018 10:24 AM, 1051 bytes, A
    In the existing folder C:\Windows\System32\Tasks
       Adds the file AGProxyCheck"="5/8/2018 10:23 AM, 3332 bytes, A

Registry details [View: All details] (Selection)
------------------------------------------------
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
       "AnonymizerGadget"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\AGData\bin\AnonymizerLauncher.exe" /S /startup --ppapi-flash-path=./pepflashplayer.dll /source: /subsource:"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\AnonymizerGadget]
       "DisplayIcon"="REG_SZ", ""C:\Program Files (x86)\AnonymizerGadget\AnonymizerLauncher.exe", 1"
       "DisplayName"="REG_SZ", "AnonymizerGadget"
       "DisplayVersion"="REG_SZ", "1"
       "InstallLocation"="REG_SZ", ""C:\Program Files (x86)\AnonymizerGadget""
       "NoModify"="REG_DWORD", 1
       "NoRepair"="REG_DWORD", 1
       "Publisher"="REG_SZ", "Jetico lim"
       "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\AnonymizerGadget\uninstaller.exe" /S"
       "UninstallString"="REG_SZ", ""C:\Program Files (x86)\AnonymizerGadget\uninstaller.exe""
       "VersionMajor"="REG_DWORD", 1
       "VersionMinor"="REG_DWORD", 1

Malwarebytes log:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 5/8/18
Scan Time: 10:32 AM
Log File: 573578e3-529a-11e8-8e72-080027235d76.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.5026
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {computername}\{username}

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 238918
Threats Detected: 15
Threats Quarantined: 15
Time Elapsed: 3 min, 15 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 1
Adware.AnonymizerGadget.PrxySvrRST, C:\USERS\{username}\APPDATA\ROAMING\AGDATA\BIN\ANONYMIZERLAUNCHER.EXE, Quarantined, [10369], [490737],1.0.5026

Module: 2
Adware.AnonymizerGadget.PrxySvrRST, C:\USERS\{username}\APPDATA\ROAMING\AGDATA\BIN\ANONYMIZERLAUNCHER.EXE, Quarantined, [10369], [490737],1.0.5026
Adware.Vitruvian.PrxySvrRST, C:\USERS\{username}\APPDATA\ROAMING\AGDATA\BIN\AGLOADER.DLL, Quarantined, [12353], [505115],1.0.5026

Registry Key: 1
Adware.AnonymizerGadget.PrxySvrRST, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NLASVC\PARAMETERS\INTERNET\MANUALPROXIES, Quarantined, [10369], [-1],0.0.0

Registry Value: 5
Adware.AnonymizerGadget.PrxySvrRST, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|AnonymizerGadget, Quarantined, [10369], [490737],1.0.5026
Adware.AnonymizerGadget.PrxySvrRST, HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [10369], [-1],0.0.0
Adware.AnonymizerGadget.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [10369], [-1],0.0.0
Adware.AnonymizerGadget.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [10369], [-1],0.0.0
Adware.AnonymizerGadget.PrxySvrRST, HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [10369], [-1],0.0.0

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 6
Adware.AnonymizerGadget.PrxySvrRST, C:\USERS\{username}\APPDATA\ROAMING\AGDATA\BIN\ANONYMIZERLAUNCHER.EXE, Quarantined, [10369], [490737],1.0.5026
Adware.Vitruvian.PrxySvrRST, C:\USERS\{username}\APPDATA\ROAMING\AGDATA\BIN\AGLOADER.DLL, Quarantined, [12353], [505115],1.0.5026
Adware.Vitruvian.PrxySvrRST, C:\USERS\{username}\DESKTOP\ANONYMIZER.EXE, Quarantined, [12353], [505115],1.0.5026
Adware.AnonymizerGadget.PrxySvrRST, C:\PROGRAM FILES (X86)\ANONYMIZERGADGET\ANONYMIZERLAUNCHER.EXE, Quarantined, [10369], [490738],1.0.5026
Adware.Vitruvian.PrxySvrRST, C:\PROGRAM FILES (X86)\ANONYMIZERGADGET\AGUTILS.DLL, Quarantined, [12353], [505115],1.0.5026
Adware.Vitruvian.PrxySvrRST, C:\PROGRAM FILES (X86)\ANONYMIZERGADGET\AGLOADER.DLL, Quarantined, [12353], [505115],1.0.5026

Physical Sector: 0
(No malicious items detected)


(end)

As mentioned before the full version of Malwarebytes could have protected your computer against this threat.
We use different ways of protecting your computer(s):

Dynamically Blocks Malware Sites & Servers
Malware Execution Prevention

Save yourself the hassle and get protected.

#1
Metallica

Posted 08 May 2018 - 03:05 AM

Advertisements

0 user(s) are reading this topic

As Featured On:

Forums

Downloads

Members

Connect With Us