Item: a variant of Win32/Toolbar.Conduit.H potentially unwantedMalwarefixit
Rating: 5
Author: Alex

Dmitry Sokolov recommends UnHackMe!

UnHackMe is a powerful tool against malware.

UnHackMe quickly removes rootkits/malware/adware/browser hijack issues!

Alex NightWatcher: Solved! (5 / 5)

a variant of Win32/Toolbar.Conduit.H potentially unwanted also known as PUA.Conduit!8.122-TMF2WbKYhOJ (cloud).

Malware Analysis of a variant of Win32/Toolbar.Conduit.H potentially unwanted – PIXILLIONSETUP_V2.52.EXE

Created files:

%Program Files%\NCH Software\Pixillion\Help\options.html
%Program Files%\NCH Software\Pixillion\pixillion.exe
%Program Files%\NCH Software\Pixillion\pixillionsetup_v2.52.exe
%COMMON APPDATA%\MICROSOFT\WINDOWS\START MENU\PROGRAMS\GRAPHICS RELATED PROGRAMS\GRAPHICS FILE CONVERTER.LNK
%COMMON APPDATA%\MICROSOFT\WINDOWS\START MENU\PROGRAMS\GRAPHICS RELATED PROGRAMS\PHOTOPAD EDITOR.LNK

Autostart registry keys:

HKLM\Software\Classes\Applications\pixillion.exe\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\Applications\pixillion.exe\shell\: “Open”
HKLM\Software\Classes\Applications\pixillion.exe\DefaultIcon\: “%Program Files%\NCH Software\Pixillion\pixillion.exe,0”
HKLM\Software\Classes\Applications\pixillion.exe\: “Pixillion Image Converter”
HKLM\Software\Classes\CLSID\{0015CAC9-FC30-4CD0-BFAA-7412CC2C4DD9}\LocalServer32\: “”%Program Files%\Lavasoft\Web Companion\TcpService\2.3.4.7\LavasoftTcpService.exe””
HKLM\Software\Classes\CLSID\{26C7AFDB-3690-449E-B979-B0AF5CC56DD4}\LocalServer32\: “”%Program Files%\Lavasoft\Web Companion\TcpService\2.3.4.7\LavasoftTcpService.exe””
HKLM\Software\Classes\CLSID\{3A5A5381-DAAF-4C0D-B032-2C66B3EE4A8D}\LocalServer32\: “”%Program Files%\Lavasoft\Web Companion\TcpService\2.3.4.7\LavasoftTcpService.exe””
HKLM\Software\Classes\CLSID\{472EF1D2-4AAE-470D-AE85-6AF8177916FD}\LocalServer32\: “”%Program Files%\Lavasoft\Web Companion\TcpService\2.3.4.7\LavasoftTcpService.exe””
HKLM\Software\Classes\CLSID\{8F010D54-C023-457F-AF03-497EACB6D519}\LocalServer32\: “”%Program Files%\Lavasoft\Web Companion\TcpService\2.3.4.7\LavasoftTcpService.exe””
HKLM\Software\Classes\CLSID\{9A754403-27B1-4ED7-96D7-588F07888EBF}\LocalServer32\: “”%Program Files%\Lavasoft\Web Companion\TcpService\2.3.4.7\LavasoftTcpService.exe””
HKLM\Software\Classes\CLSID\{CB31FF8F-BF80-4D2B-ADBE-12C6F5347890}\LocalServer32\: “”%Program Files%\Lavasoft\Web Companion\TcpService\2.3.4.7\LavasoftTcpService.exe””
HKLM\Software\Classes\CLSID\{FCAA532B-E807-4027-940C-BA16B9D50105}\LocalServer32\: “”%Program Files%\Lavasoft\Web Companion\TcpService\2.3.4.7\LavasoftTcpService.exe””
HKLM\Software\Classes\NCH.Pixillion.arw\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.bmp\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.cr2\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.crw\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.dcr\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.dng\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.erf\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.gif\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.hdp\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.ico\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.iff\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.jp2\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.jpeg\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.jpg\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.jps\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.jxr\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.kdc\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.mef\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.mos\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.mpo\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.mrw\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.nef\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.nrw\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.orf\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.pbm\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.pcx\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.pdf\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.pef\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.pgf\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.pgm\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.png\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.pnm\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.ppm\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.psd\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.ptx\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.r3d\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.raf\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.ras\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.raw\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.rw2\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.srf\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.srw\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.tga\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.tif\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.tiff\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.wbmp\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.wdp\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.webp\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Classes\NCH.Pixillion.x3f\shell\open\command\: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” “%L””
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Pixillion\DisplayName: “Pixillion Image Converter”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Pixillion\UninstallString: “”%Program Files%\NCH Software\Pixillion\pixillion.exe” -uninstall”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{314c15d6-8c8e-4a9b-adea-009aa21c9132}\DisplayName: “Web Companion”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{314c15d6-8c8e-4a9b-adea-009aa21c9132}\UninstallString: “%Program Files%\Lavasoft\Web Companion\Application\WebCompanionInstaller.exe –uninstall”
HKLM\System\CurrentControlSet\services\LavasoftTcpService\ImagePath: “%Program Files%\Lavasoft\Web Companion\TcpService\2.3.4.7\LavasoftTcpService.exe”
HKLM\System\CurrentControlSet\services\LavasoftTcpService\DisplayName: “LavasoftTcpService”
HKLM\System\CurrentControlSet\services\WCAssistantService\ImagePath: “%Program Files%\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe”
HKLM\System\CurrentControlSet\services\WCAssistantService\DisplayName: “WC Assistant”
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Web Companion: “%Program Files%\Lavasoft\Web Companion\Application\WebCompanion.exe –minimize ”

Detected by UnHackMe:

PIXILLIONSETUP_V2.52.EXE
Default location: %PROGRAM FILES%\NCH SOFTWARE\PIXILLION\PIXILLIONSETUP_V2.52.EXE

Dropper hash(md5): dcff48bb9ccce81803d2ed9cbf2d71ce

Written by NightWatcher

Malware Hunter.
Google+

UnHackMe removes malware invisible for your antivirus!

UnHackMe is compatible with most antivirus software.
UnHackMe is 100% CLEAN, which means it does not contain any form of malware, including adware, spyware, viruses, trojans and backdoors. VirusTotal (0/56).
System Requirements: Windows 2000-Windows 8.1/10. UnHackMe uses minimum of computer resources.