PUP.Win32.MediaGet_0814c37d8f

by malwarelabrobot on July 11th, 2017 in Malware Descriptions.

not-a-virus:HEUR:Downloader.Win32.MediaGet.gen (Kaspersky), Program.MediaGet.142 (DrWeb), Application.MGet (A) (Emsisoft), Trojan.Win32.Sasfis.FD, PUPMediaGet.YR (Lavasoft MAS)
Behaviour: Trojan, PUP


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 0814c37d8f45b1f1f43a2bb503b3decf
SHA1: 2bd416afa671ecdae2a09f3deef4a175b548370d
SHA256: 47b97093fae273ea31d39fdb21e4f0718d9a0226108d4b0610ab0ef1c2c657bd
SSDeep: 24576:3rDWHiMNgq3lZUHSxCCjRJrnOkyOZ8C6qnLypf/W79ysG095cWSMcdC7mCGfI56U:bDuiQ3lZUyxXJrOqZh5nL f/W79ysG0L
Size: 1449768 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: MediaGet LLC
Created at: 2017-02-03 15:16:17
Analyzed on: Windows7 SP1 32-bit


Summary:

PUP. Potentially Unwanted Program. An application that does not display malicious behavior yet is installed without having first sought affirmative user consent for installation. Users may not realize, due to the nature of the installation procedure, that an application they have not explicitly agreed to has been installed. This category can also be used to classify other applications which in a certain context can be wanted e.g. remote administration tools or IRC clients.

Payload

No specific payload has been found.

Process activity

The PUP creates the following process(es):
No processes have been created.
The PUP injects its code into the following process(es):

%original file name%.exe:1804

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1804 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab7EA1.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\next-hovered-en.png (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\cancel_page.jpg (38 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\js\jquery-ui.min.1.8.0.js (207 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\next-en.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017071020170711\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\index.html (17 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\next-tr.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\next.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\install-fusion-en.bmp (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\bundles\yandex-stuff-tr.txt (466 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\bundles\yandex-stuff-ru.txt (788 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\yandex-logo-tr.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\cancel-tr.template (668 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-cancel.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-try-tr.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\mediaget-logo.png (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-try.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\install-fusion-ru.bmp (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\stub.html (262 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\checkbox-white-off.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\custom-back.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar7EA2.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\next-hovered.png (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab7EB2.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\checkbox-off.png (218 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-fusion-en.bmp (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\index.template (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\cancel.template (670 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\checkbox-white-on.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\close-fusion.bmp (576 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\cancel_page_en.jpg (33 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\mediaget-logo.png (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar7EB3.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\checkbox-on.png (359 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-try-en.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\bundles\first-page-ru.html (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\js\jquery.min.1.6.4.js (91 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\cancel_page_tr.jpg (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\close.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\bundles\first-page-en.html (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\bundles\first-page-tr.html (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\yandex-logo-ru.png (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\next-hovered-tr.png (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-cancel-grey-en.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-fusion-ru.bmp (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\install-min.template (424 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-cancel-grey.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\cancel-en.template (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-cancel-tr.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\preloader.html (704 bytes)

The PUP deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab7EA1.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101020161017 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar7EA2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar7EB3.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016102820161029 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab7EB2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\preloader.html (0 bytes)

Registry activity

The process %original file name%.exe:1804 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\0814c37d8f45b1f1f43a2bb503b3decf_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\0814c37d8f45b1f1f43a2bb503b3decf_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017071020170711]
"CacheRepair" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\0814c37d8f45b1f1f43a2bb503b3decf_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017071020170711]
"CachePrefix" = ":2017071020170711:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"cFormatTags" = "2"

[HKLM\SOFTWARE\Microsoft\Tracing\0814c37d8f45b1f1f43a2bb503b3decf_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017071020170711]
"CachePath" = "%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017071020170711"

[HKLM\SOFTWARE\Microsoft\Tracing\0814c37d8f45b1f1f43a2bb503b3decf_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\0814c37d8f45b1f1f43a2bb503b3decf_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"cFilterTags" = "0"
"fdwSupport" = "1"
"aFormatTagCache" = "01 00 00 00 10 00 00 00 55 00 00 00 1E 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\0814c37d8f45b1f1f43a2bb503b3decf_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\0814c37d8f45b1f1f43a2bb503b3decf_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017071020170711]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\0814c37d8f45b1f1f43a2bb503b3decf_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Media Get LLC\MediaGet2-systemScope\mediaget_info]
"hasDownloadedUpdate" = "false"

[HKLM\SOFTWARE\Microsoft\Tracing\0814c37d8f45b1f1f43a2bb503b3decf_RASMANCS]
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017071020170711]
"CacheOptions" = "11"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The PUP deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101020161017]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016102820161029]

The PUP deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: MediaGet LLC
Product Name: mediaget-installer Module
Product Version: 1.0
Legal Copyright: Copyright (c) 2011 MediaGet LLC
Legal Trademarks:
Original Filename: mediaget-installer.exe
Internal Name: mediaget-installer
File Version: 1.0
File Description: MediaGet installer
Comments: MediaGet installer
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 720896 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 724992 1224704 1221120 5.44322 ce4f47b84b0c2394accb19d1ab5ba025
.rsrc 1949696 217088 216576 5.47059 aa81ffc76acc56ec56840ad8d35adb54

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
www.download.windowsupdate.com 62.140.236.170
dns.msftncsi.com 131.107.255.255


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The PUP connects to the servers at the folowing location(s):

%original file name%.exe_1804:

`.rsrc
SSSSh
PSSSSSSh
FTPW
8%uvP
3|$@3|$4
3|$43|$(
3|$<3|$(
vSSSh
FTPjK
FtPj;
C.PjRV
Dw[DEw.AEw
Av=kAv.SCvD
mediaget.exe
mediaget-admin-proxy.exe
MediaGet.exe
hXXp://sub2.bubblesmedia.ru/client/mg_install
preloader.html
addWindowsAutostart
index.html
mediaget-installer-2/installer-html/getHtml.php?inst_ver=
<catalog_url>(.*?)</catalog_url>
<playlistUrl>(.*?)</playlistUrl>
<posterUrl>(.*?)</posterUrl>
<web_url>(.*?)</web_url>
<magnet_url>(.*?)</magnet_url>
<torrent_url>(.*?)</torrent_url>
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\360SD
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\360
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\safebox
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\360 Internet Security 2013
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\360 Internet Security
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\360TotalSecurity
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PSafe Total
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PSafe Antivirus
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360SD
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\safebox
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360 Internet Security 2013
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360 Internet Security
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360TotalSecurity
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PSafe Total
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PSafe Antivirus
\Google\Chrome\User Data\Default\Extensions\
hXXp://
/mediaget-installer-2/bundles/bundle.php?b=
download5.mediaget.com
download2.mediaget.com
download1.mediaget.com
download.mediaget.com
.mediaget.com/getdata.php?id=
.mediaget.com/getdata-new.php?id=
hXXps://install.mediaget.com/index2.php
hXXp://bugs.mediaget.com/cgi-bin/submit-bug-installer.cgi?ver=
download_url
weburl
catalogurl
mgtoolbar_web_url
playlist_url
&url=
hXXp://sub2.bubblesmedia.ru/client/mediaget_install
document.getElementById('currentState').value = 'close';
document.getElementById('currentState').value = 'start';
document.getElementById('currentState').value = 'back';
Reading html cancel.template template:
.template
cancel_page.jpg
cancel_page_tr.jpg
cancel_page_en.jpg
checkbox-on.png
checkbox-white-on.png
index.template
Reading html install.template template:
install-min.template
URLUpdateInfo
URLInfoAbout
hXXp://mediaget.com
mediaget-uninstaller.exe
Software\Microsoft\Windows\CurrentVersion\Uninstall\MediaGet
mediaget-installer-2/binaries/download.php?a=mediaget-bin-test-
mediaget-installer-2/binaries/download.php?a=mediaget-bin
mediaget-installer-2/binaries/download.php?a=mediaget-bin-silent
mediaget-installer-2/binaries/download.php?a=mediaget-lib
Unable to make mgUserProgrammsShortcutDir path -
bundles\yandex-stuff-ru.txt
bundles\first-page-ru.html
bundles\yandex-stuff-tr.txt
bundles\first-page-tr.html
bundles\first-page-en.html
Decoder doesn't support this archive
\\.\pipe\mediaget-admin-proxy-pipe-out
\\.\pipe\mediaget-admin-proxy-pipe-in
SHELLEXECUTE
WRITE_HKLM_KEY
ConnectNamedPipe for mediaget-admin-proxy failed -
ShellExecute for mediaget-admin-proxy failed -
unable to listen on mediaget-admin-proxy pipes
The operating system is out of memory or resources
ShellExecute error:
|()[] -*\.
mg_to_taskbar.vbs
mg_from_taskbar.vbs
\\.\pipe\Media Get LLCMediaGet2
\MediaGet\mediaget.exe
%I64d %s
.A%.2f %s
A%d%s
%d%s%d%s
mediaget-tmp-%d.tmp
mediaget-udp
mediaget-tcp
CreateNamedPipe failed:
\\.\pipe\
ConnectNamedPipe failed:
Can't create IWebBrowser2 instance
Url invalid:
(https?)://(.*?)/(.*)
https
bundle.exe
searchext.exe
antivirus360.exe
adsblock_inst.exe
orbspeeddial.exe
yandex-downloader.exe
Chrome
Chrome'da sayfa Orbitum ve Yandex arama
hXXp://download.yandex.ru/yandex-pack/downloader/downloader.exe
yandexdownloaderexe
YandexPackSetup.exe
chrome
^hXXp://(?:www\.|)yandex\.ru.*clid=(?:
^hXXp://(?:www|)\.yandex\.ru
uninstall_url
Fusion.dll
img\install-fusion-ru.bmp
img\install-fusion-en.bmp
img\cancel-fusion-ru.bmp
img\cancel-fusion-en.bmp
img\close-fusion.bmp
AAjcM0WrUSlfbBR5EtcPS1SoHb7gpKsEyB7k7GzyH6pDDwzDJqHpURnsqEPhYHSBzhfFYXyO ital6I8eC1WjHVT60xO23A5dJZJEwo jzCGaEQi8///yi NOE72luHJSSRAqf55ET5rOKNTlH1f X58JWrJCj00RmjNFxAF0C69K7SBVfvIoTaGF30XjTQUh8GD XQP8lmeLAhtLkcodcTLBbdwp6LSjUgyS7vE51vS/UrcMPJBLgV6 V aSBfnisntMPlluSjoGDUpnS8i/dvpd/5H3nD8SB6EqL3KawaVxBAUbUyTwcaW 7fcvFFm
fusion-bundle.exe
Fail hello client pipe
Fail run fusion.exe:
FUSION_EXE
Fail create server pipe:
Chrome.
Chrome?
To proceed with installation you need to close the Google Chrome browser.
All opened web-sites will be recovered. Do you want to close Chrome?
browser.exe
safari.exe
chrome.exe
launcher.exe
opera.exe
firefox.exe
iexplore.exe
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.102 Safari/534.13
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Opera/9.80 (X11; Linux i686; U; ru) Presto/2.7.62 Version/11.01
Mozilla/5.0 (X11; U; Linux i686; ru; rv:1.9.2.14) Gecko/20110221 Ubuntu/10.10 (maverick) Firefox/3.6.14
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
\Mozilla\Firefox\
\Google\Chrome\User Data\Default\Preferences
\Google\Chrome\User Data\Default\Secure Preferences
(?i)['"]urls_to_restore_on_startup['"]\s*?:.*?['"](.*?)['"]
/f /im iexplore.exe
opera
firefox
Software\Google\Chrome\Extensions
Software\Wow6432Node\Google\Chrome\Extensions
Opera
Firefox
Chrome
profiles.ini
\prefs.js
user_pref("browser.startup.homepage", "
user_pref("browser.startup.homepage"), "
user_pref.*"browser.startup.homepage"
.*?user_pref\(["']browser.startup.homepage["'].*?["'](.*?)["']\).*?
user_pref("browser.startup.page", 3);
browser.startup.page",
(.*?)=(.*?)
.*?\[(.*)\].*?
%s (%d,%d) %x %x %x %x %x
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
erroffset passed as NULL
POSIX collating elements are not supported
this version of PCRE is not compiled with PCRE_UTF8 support
PCRE does not support \L, \l, \N{name}, \U, or \u
support for \P, \p, and \X has not been compiled
this version of PCRE is not compiled with PCRE_UCP support
Error text not found (please report)
F%D,3
kernel32.dll
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
portuguese-brazilian
operator
GetProcessWindowStation
USER32.DLL
.?AVCWebCtrlInterFace@@
.?AVProgressReporter@@
.?AV?$MyWebBrowser@$0DOI@@@
.?AV?$IDispEventImpl@$0DOI@V?$MyWebBrowser@$0DOI@@@$1?GUID_NULL@@3U_GUID@@B$1?2@3U3@B$0A@$0A@VCComTypeInfoHolder@ATL@@@ATL@@
.?AV?$IDispEventSimpleImpl@$0DOI@V?$MyWebBrowser@$0DOI@@@$1?GUID_NULL@@3U_GUID@@B@ATL@@
zcÁ
.idata
.edata
P.reloc
P.rsrc
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
u%CNu
Uh.DA
.Owner
Uh.wA
Kernel32.dll
N-K}eZ
0Q.eP
9.ImI`
9.elp
R.Up|k!
`0%sx7W
%c;yA
\.SQ}s
Pl%xDY
bÝ2
 i%cs
J%Sg}p
Q[.aL
0,Q.CT
0.wzry
5t%S]||
>!%xf^
.wJ.D{f
Tsql
Nc.BV
%u,]N
>H0]%xvP
:mSgB
.nv1j/
%dVvNUT|
TM.Bl5
 ö$
dvPX.FN\
JH.xj 2
F%X2ck
2ckeY
t%DiK
%cki1
"dx.Yp
.bo-e
}.Fm]
`v6.ck
'|%ck
%ckPQ
&ck%c
K.xaWM
NIck
uP.ck
nick
N.GHOa
sM?
j4%cV
.owsj
A.ZT8ck
m,k
2.YP#
.ck=Y
d?][%C
Ctr.qc
;mSGD
.hzGX
{6%Uk
A)J6qlh,kU~
R.WyX
.k.VX/
2c.bAB
#B?w0c^%Fv
.jz&=
.Cr~k
Geg.ip6
R-.EU
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegFlushKey
RegCreateKeyExA
GetCPInfo
Pipenokalilu
KWindows
ConnectNamedPipe
CreatePipe
WaitNamedPipeW
TransactNamedPipe
SetNamedPipeHandleState
GetProcessHeap
CreateNamedPipeW
GetConsoleOutputCP
DisconnectNamedPipe
RegDeleteKeyW
RegEnumKeyExW
RegQueryInfoKeyW
RegEnumKeyW
RegCreateKeyExW
RegOpenKeyExW
SHFileOperationW
ShellExecuteW
ShellExecuteExW
CreateDialogIndirectParamW
EnumWindows
HttpOpenRequestW
HttpSendRequestW
HttpQueryInfoW
:|4[.]<]=]`]4[4[
(((( (6"(0=4
.text
`.rdata
@.data
.rsrc
@.reloc
\.tHi
s%Cj/Q
b<Q%F
"h.rB
.VTA1
B5><H:M%x*
[k'<%u
.RPzSZ
dU%,.vC
Z.qL"
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
GDI32.dll
ole32.dll
OLEAUT32.dll
PSAPI.DLL
SHELL32.dll
SHLWAPI.dll
USER32.dll
WININET.dll
WS2_32.dll
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
x-x-x-xx-xxxxxx
XXXXXXXXXXX
%s\%s.dmp
rpcrt4.dll
dbghelp.dll
xfirefox.exe
mscoree.dll
c:\%original file name%.exe
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to get data for '%s'
%s.Seek not implemented$Operation not allowed on sorted list
Property %s does not exist
Ancestor for '%s' not found
Cannot assign a %s to a %s
Class %s not found%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file %s
Cannot open file %s$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
!'%s' is not a valid integer value
I/O error %d
Integer overflow Invalid floating point operation
{8856F961-340A-11D0-A96B-00C04FD705A2}
mediaget-installer.exe

%original file name%.exe_1804_rwx_000A1000_001D9000:

SSSSh
PSSSSSSh
FTPW
8%uvP
3|$@3|$4
3|$43|$(
3|$<3|$(
vSSSh
FTPjK
FtPj;
C.PjRV
Dw[DEw.AEw
Av=kAv.SCvD
mediaget.exe
mediaget-admin-proxy.exe
MediaGet.exe
hXXp://sub2.bubblesmedia.ru/client/mg_install
preloader.html
addWindowsAutostart
index.html
mediaget-installer-2/installer-html/getHtml.php?inst_ver=
<catalog_url>(.*?)</catalog_url>
<playlistUrl>(.*?)</playlistUrl>
<posterUrl>(.*?)</posterUrl>
<web_url>(.*?)</web_url>
<magnet_url>(.*?)</magnet_url>
<torrent_url>(.*?)</torrent_url>
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\360SD
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\360
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\safebox
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\360 Internet Security 2013
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\360 Internet Security
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\360TotalSecurity
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PSafe Total
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PSafe Antivirus
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360SD
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\safebox
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360 Internet Security 2013
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360 Internet Security
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360TotalSecurity
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PSafe Total
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PSafe Antivirus
\Google\Chrome\User Data\Default\Extensions\
hXXp://
/mediaget-installer-2/bundles/bundle.php?b=
download5.mediaget.com
download2.mediaget.com
download1.mediaget.com
download.mediaget.com
.mediaget.com/getdata.php?id=
.mediaget.com/getdata-new.php?id=
hXXps://install.mediaget.com/index2.php
hXXp://bugs.mediaget.com/cgi-bin/submit-bug-installer.cgi?ver=
download_url
weburl
catalogurl
mgtoolbar_web_url
playlist_url
&url=
hXXp://sub2.bubblesmedia.ru/client/mediaget_install
document.getElementById('currentState').value = 'close';
document.getElementById('currentState').value = 'start';
document.getElementById('currentState').value = 'back';
Reading html cancel.template template:
.template
cancel_page.jpg
cancel_page_tr.jpg
cancel_page_en.jpg
checkbox-on.png
checkbox-white-on.png
index.template
Reading html install.template template:
install-min.template
URLUpdateInfo
URLInfoAbout
hXXp://mediaget.com
mediaget-uninstaller.exe
Software\Microsoft\Windows\CurrentVersion\Uninstall\MediaGet
mediaget-installer-2/binaries/download.php?a=mediaget-bin-test-
mediaget-installer-2/binaries/download.php?a=mediaget-bin
mediaget-installer-2/binaries/download.php?a=mediaget-bin-silent
mediaget-installer-2/binaries/download.php?a=mediaget-lib
Unable to make mgUserProgrammsShortcutDir path -
bundles\yandex-stuff-ru.txt
bundles\first-page-ru.html
bundles\yandex-stuff-tr.txt
bundles\first-page-tr.html
bundles\first-page-en.html
Decoder doesn't support this archive
\\.\pipe\mediaget-admin-proxy-pipe-out
\\.\pipe\mediaget-admin-proxy-pipe-in
SHELLEXECUTE
WRITE_HKLM_KEY
ConnectNamedPipe for mediaget-admin-proxy failed -
ShellExecute for mediaget-admin-proxy failed -
unable to listen on mediaget-admin-proxy pipes
The operating system is out of memory or resources
ShellExecute error:
|()[] -*\.
mg_to_taskbar.vbs
mg_from_taskbar.vbs
\\.\pipe\Media Get LLCMediaGet2
\MediaGet\mediaget.exe
%I64d %s
.A%.2f %s
A%d%s
%d%s%d%s
mediaget-tmp-%d.tmp
mediaget-udp
mediaget-tcp
CreateNamedPipe failed:
\\.\pipe\
ConnectNamedPipe failed:
Can't create IWebBrowser2 instance
Url invalid:
(https?)://(.*?)/(.*)
https
bundle.exe
searchext.exe
antivirus360.exe
adsblock_inst.exe
orbspeeddial.exe
yandex-downloader.exe
Chrome
Chrome'da sayfa Orbitum ve Yandex arama
hXXp://download.yandex.ru/yandex-pack/downloader/downloader.exe
yandexdownloaderexe
YandexPackSetup.exe
chrome
^hXXp://(?:www\.|)yandex\.ru.*clid=(?:
^hXXp://(?:www|)\.yandex\.ru
uninstall_url
Fusion.dll
img\install-fusion-ru.bmp
img\install-fusion-en.bmp
img\cancel-fusion-ru.bmp
img\cancel-fusion-en.bmp
img\close-fusion.bmp
AAjcM0WrUSlfbBR5EtcPS1SoHb7gpKsEyB7k7GzyH6pDDwzDJqHpURnsqEPhYHSBzhfFYXyO ital6I8eC1WjHVT60xO23A5dJZJEwo jzCGaEQi8///yi NOE72luHJSSRAqf55ET5rOKNTlH1f X58JWrJCj00RmjNFxAF0C69K7SBVfvIoTaGF30XjTQUh8GD XQP8lmeLAhtLkcodcTLBbdwp6LSjUgyS7vE51vS/UrcMPJBLgV6 V aSBfnisntMPlluSjoGDUpnS8i/dvpd/5H3nD8SB6EqL3KawaVxBAUbUyTwcaW 7fcvFFm
fusion-bundle.exe
Fail hello client pipe
Fail run fusion.exe:
FUSION_EXE
Fail create server pipe:
Chrome.
Chrome?
To proceed with installation you need to close the Google Chrome browser.
All opened web-sites will be recovered. Do you want to close Chrome?
browser.exe
safari.exe
chrome.exe
launcher.exe
opera.exe
firefox.exe
iexplore.exe
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.102 Safari/534.13
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Opera/9.80 (X11; Linux i686; U; ru) Presto/2.7.62 Version/11.01
Mozilla/5.0 (X11; U; Linux i686; ru; rv:1.9.2.14) Gecko/20110221 Ubuntu/10.10 (maverick) Firefox/3.6.14
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
\Mozilla\Firefox\
\Google\Chrome\User Data\Default\Preferences
\Google\Chrome\User Data\Default\Secure Preferences
(?i)['"]urls_to_restore_on_startup['"]\s*?:.*?['"](.*?)['"]
/f /im iexplore.exe
opera
firefox
Software\Google\Chrome\Extensions
Software\Wow6432Node\Google\Chrome\Extensions
Opera
Firefox
Chrome
profiles.ini
\prefs.js
user_pref("browser.startup.homepage", "
user_pref("browser.startup.homepage"), "
user_pref.*"browser.startup.homepage"
.*?user_pref\(["']browser.startup.homepage["'].*?["'](.*?)["']\).*?
user_pref("browser.startup.page", 3);
browser.startup.page",
(.*?)=(.*?)
.*?\[(.*)\].*?
%s (%d,%d) %x %x %x %x %x
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
erroffset passed as NULL
POSIX collating elements are not supported
this version of PCRE is not compiled with PCRE_UTF8 support
PCRE does not support \L, \l, \N{name}, \U, or \u
support for \P, \p, and \X has not been compiled
this version of PCRE is not compiled with PCRE_UCP support
Error text not found (please report)
F%D,3
kernel32.dll
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
portuguese-brazilian
operator
GetProcessWindowStation
USER32.DLL
.?AVCWebCtrlInterFace@@
.?AVProgressReporter@@
.?AV?$MyWebBrowser@$0DOI@@@
.?AV?$IDispEventImpl@$0DOI@V?$MyWebBrowser@$0DOI@@@$1?GUID_NULL@@3U_GUID@@B$1?2@3U3@B$0A@$0A@VCComTypeInfoHolder@ATL@@@ATL@@
.?AV?$IDispEventSimpleImpl@$0DOI@V?$MyWebBrowser@$0DOI@@@$1?GUID_NULL@@3U_GUID@@B@ATL@@
zcÁ
.idata
.edata
P.reloc
P.rsrc
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
u%CNu
Uh.DA
.Owner
Uh.wA
Kernel32.dll
N-K}eZ
0Q.eP
9.ImI`
9.elp
R.Up|k!
`0%sx7W
%c;yA
\.SQ}s
Pl%xDY
bÝ2
 i%cs
J%Sg}p
Q[.aL
0,Q.CT
0.wzry
5t%S]||
>!%xf^
.wJ.D{f
Tsql
Nc.BV
%u,]N
>H0]%xvP
:mSgB
.nv1j/
%dVvNUT|
TM.Bl5
 ö$
dvPX.FN\
JH.xj 2
F%X2ck
2ckeY
t%DiK
%cki1
"dx.Yp
.bo-e
}.Fm]
`v6.ck
'|%ck
%ckPQ
&ck%c
K.xaWM
NIck
uP.ck
nick
N.GHOa
sM?
j4%cV
.owsj
A.ZT8ck
m,k
2.YP#
.ck=Y
d?][%C
Ctr.qc
;mSGD
.hzGX
{6%Uk
A)J6qlh,kU~
R.WyX
.k.VX/
2c.bAB
#B?w0c^%Fv
.jz&=
.Cr~k
Geg.ip6
R-.EU
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegFlushKey
RegCreateKeyExA
GetCPInfo
Pipenokalilu
KWindows
ConnectNamedPipe
CreatePipe
WaitNamedPipeW
TransactNamedPipe
SetNamedPipeHandleState
GetProcessHeap
CreateNamedPipeW
GetConsoleOutputCP
DisconnectNamedPipe
RegDeleteKeyW
RegEnumKeyExW
RegQueryInfoKeyW
RegEnumKeyW
RegCreateKeyExW
RegOpenKeyExW
SHFileOperationW
ShellExecuteW
ShellExecuteExW
CreateDialogIndirectParamW
EnumWindows
HttpOpenRequestW
HttpSendRequestW
HttpQueryInfoW
:|4[.]<]=]`]4[4[
(((( (6"(0=4
.text
`.rdata
@.data
.rsrc
@.reloc
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
x-x-x-xx-xxxxxx
XXXXXXXXXXX
%s\%s.dmp
rpcrt4.dll
dbghelp.dll
xfirefox.exe
mscoree.dll
KERNEL32.DLL
c:\%original file name%.exe
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to get data for '%s'
%s.Seek not implemented$Operation not allowed on sorted list
Property %s does not exist
Ancestor for '%s' not found
Cannot assign a %s to a %s
Class %s not found%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file %s
Cannot open file %s$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
!'%s' is not a valid integer value
I/O error %d
Integer overflow Invalid floating point operation
{8856F961-340A-11D0-A96B-00C04FD705A2}


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original PUP file.
  3. Delete or disinfect the following files created/modified by the PUP:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab7EA1.tmp (51 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\next-hovered-en.png (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\cancel_page.jpg (38 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\js\jquery-ui.min.1.8.0.js (207 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\next-en.png (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017071020170711\index.dat (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\index.html (17 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\next-tr.png (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\next.png (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\install-fusion-en.bmp (20 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\bundles\yandex-stuff-tr.txt (466 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\bundles\yandex-stuff-ru.txt (788 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\yandex-logo-tr.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\cancel-tr.template (668 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-cancel.png (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-try-tr.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\mediaget-logo.png (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-try.png (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\install-fusion-ru.bmp (20 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\stub.html (262 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\checkbox-white-off.png (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\custom-back.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar7EA2.tmp (2712 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\next-hovered.png (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab7EB2.tmp (51 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\checkbox-off.png (218 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-fusion-en.bmp (20 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\index.template (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\cancel.template (670 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\checkbox-white-on.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\close-fusion.bmp (576 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\cancel_page_en.jpg (33 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\mediaget-logo.png (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar7EB3.tmp (2712 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\checkbox-on.png (359 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-try-en.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\bundles\first-page-ru.html (11 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\js\jquery.min.1.6.4.js (91 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\cancel_page_tr.jpg (22 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\close.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\bundles\first-page-en.html (9 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\bundles\first-page-tr.html (11 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\yandex-logo-ru.png (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\next-hovered-tr.png (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-cancel-grey-en.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-fusion-ru.bmp (20 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\install-min.template (424 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-cancel-grey.png (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\cancel-en.template (673 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\img\cancel-cancel-tr.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mediaget-installer-tmp\preloader.html (704 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now