Websteroids, Search Protect, et al

View previous topic View next topic Go down

Websteroids, Search Protect, et al

Post by Hobo on Mon 28 Apr 2014, 3:18 pm

My father's desktop computer is infected with at least two malware. He said his problems started Saturday. I checked his machine on Sunday and noticed pop-ups and redirects. I checked the installed programs and noticed:
Media Buzz v1.1 installed 4-26
Search Protect v2.12.20.154 installed 4-13
Websteroids v2.6.71 installed 3-26
Install Converter v1.0 installed 3-26

His OS is Win7. He was running MS Essentials. (I know - he would not listen to me)

I installed Norton 360, updated it and ran a scan. It found 5 problems and "resolved" all 5. (I did not get to see the log so I don't know what the 5 problems were.)

Afterward when I attempted to load a couple of web pages the pop-ups and redirects were still there.

SuperAntiSpyware immediately found Websteroids and Search Protect. I could not hang around to see if SAS could delete them.

I would appreciate your help in cleaning the malware off my father's machine. Please be patient because I will have to go to his house to do each step and it could take a day or two for me to complete some steps.

Thanks in advance.

Hobo

Rookie Surfer
Rookie Surfer

Posts : 80
Joined : 2009-04-14
Operating System : Win 7

View user profile

Back to top Go down

Re: Websteroids, Search Protect, et al

Post by Pancake on Mon 28 Apr 2014, 5:56 pm

Hi
Please carry out these intructions. It will help assist us further. [You must be registered and logged in to see this link.]






Home Town Web Page

Pancake

Tech Staff
Tech Staff

Posts : 222
Joined : 2010-03-06
Operating System : Windows 7

View user profile

Back to top Go down

Re: Websteroids, Search Protect, et al

Post by Hobo on Tue 29 Apr 2014, 2:47 am

AdwCleaner log:

# AdwCleaner v3.205 - Report created 28/04/2014 at 11:40:33
# Updated 28/04/2014 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (32 bits)
# Username : Owner - OWNER-52
# Running from : C:\Users\Owner\Downloads\adwcleaner.exe
# Option : Clean

***** [ Services ] *****

Service Deleted : CltMngSvc
Service Deleted : Websteroids

***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\SearchProtect
Folder Deleted : C:\Windows\system32\SearchProtect
Folder Deleted : C:\Users\Owner\AppData\Local\Conduit
Folder Deleted : C:\Users\Owner\AppData\Local\SearchProtect
Folder Deleted : C:\Users\Owner\AppData\Local\Websteroids
File Deleted : C:\END
File Deleted : C:\Windows\Tasks\AmiUpdXp.job
File Deleted : C:\Windows\System32\Tasks\AmiUpdXp

***** [ Shortcuts ] *****


***** [ Registry ] *****

[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{CD68E3BE-183E-40FB-AE98-EE5E4288D0A6}
[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CD68E3BE-183E-40FB-AE98-EE5E4288D0A6}
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Classes\Updater.AmiUpd
Key Deleted : HKLM\SOFTWARE\Classes\Updater.AmiUpd.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Websteroids_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Websteroids_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WebsteroidsService_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WebsteroidsService_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{051E9166-B275-4683-907B-372FAE22BC7C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{67BD9EEB-AA06-4329-A940-D250019300C9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9EDC0C90-2B5B-4512-953E-35767BAD5C67}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{A0EE0278-2986-4E5A-884E-A3BF0357E476}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{93DBF2BB-A2B3-4683-A92E-57E60751F346}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKCU\Software\AppDataLow\Software\DynConIE
Key Deleted : HKLM\Software\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\Software\SearchProtect
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{99C91FC5-DB5B-4AA0-BB70-5D89C5A4DF96}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Websteroids
Data Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32Loader.dll

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17041


-\\ Google Chrome v34.0.1847.116

[ File : C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted [Search Provider] : [You must be registered and logged in to see this link.]
Deleted [Search Provider] : [You must be registered and logged in to see this link.]
Deleted [Search Provider] : [You must be registered and logged in to see this link.]
Deleted [Search Provider] : [You must be registered and logged in to see this link.]
Deleted [Search Provider] : [You must be registered and logged in to see this link.]
Deleted [Startup_urls] : [You must be registered and logged in to see this link.]
Deleted [Homepage] : [You must be registered and logged in to see this link.]
Deleted [Extension] : booedmolknjekdopkepjjeckmjkdpfgl
Deleted [Extension] : flpcjncodpafbgdpnkljologafpionhb

*************************

AdwCleaner[R0].txt - [3860 octets] - [28/04/2014 11:37:46]
AdwCleaner[S0].txt - [4450 octets] - [28/04/2014 11:40:33]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [4510 octets] ##########

Hobo

Rookie Surfer
Rookie Surfer

Posts : 80
Joined : 2009-04-14
Operating System : Win 7

View user profile

Back to top Go down

Re: Websteroids, Search Protect, et al

Post by Hobo on Tue 29 Apr 2014, 3:11 am

MalwareBytes log:

Malwarebytes Anti-Malware
[You must be registered and logged in to see this link.]

Scan Date: 4/28/2014
Scan Time: 12:07:38 PM
Logfile:
Administrator: Yes

Version: 2.00.1.1004
Malware Database: v2014.04.28.06
Rootkit Database: v2014.03.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Chameleon: Disabled

OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: Owner

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 226067
Time Elapsed: 14 min, 4 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 2
PUP.Optional.MediaBuzz.A, HKLM\SOFTWARE\MediaBuzzV1, Quarantined, [3e78a58aeb90b28475c191e108fa9967],
PUP.Optional.MediaBuzz.A, HKLM\SOFTWARE\MediaBuzzV1mode184, Quarantined, [7b3b909f4437d06645f19fd3e220f010],

Registry Values: 1
PUP.Optional.MediaBuzz.A, HKLM\SOFTWARE\MOZILLA\FIREFOX\EXTENSIONS|ext@MediaBuzzV1mode184.net, C:\Program Files\MediaBuzzV1\MediaBuzzV1mode184\ff, Quarantined, [c6f0d55a8dee7db997a0155da062af51]

Registry Data: 0
(No malicious items detected)

Folders: 9
PUP.Optional.Websteroids.A, C:\ProgramData\Websteroids, Quarantined, [10a68ea1fa8100361df94742738f649c],
PUP.Optional.MediaBuzz.A, C:\Program Files\MediaBuzzV1\MediaBuzzV1mode184, Quarantined, [f1c5ed42f982310502a92b464db5e11f],
PUP.Optional.MediaBuzz.A, C:\Program Files\MediaBuzzV1\MediaBuzzV1mode184\ch, Quarantined, [f1c5ed42f982310502a92b464db5e11f],
PUP.Optional.MediaBuzz.A, C:\Program Files\MediaBuzzV1\MediaBuzzV1mode184\ff, Quarantined, [f1c5ed42f982310502a92b464db5e11f],
PUP.Optional.MediaBuzz.A, C:\Program Files\MediaBuzzV1\MediaBuzzV1mode184\ff\chrome, Quarantined, [f1c5ed42f982310502a92b464db5e11f],
PUP.Optional.MediaBuzz.A, C:\Program Files\MediaBuzzV1\MediaBuzzV1mode184\ff\chrome\content, Quarantined, [f1c5ed42f982310502a92b464db5e11f],
PUP.Optional.MediaBuzz.A, C:\Program Files\MediaBuzzV1\MediaBuzzV1mode184\ff\chrome\content\icons, Quarantined, [f1c5ed42f982310502a92b464db5e11f],
PUP.Optional.MediaBuzz.A, C:\Program Files\MediaBuzzV1\MediaBuzzV1mode184\ff\chrome\content\icons\default, Quarantined, [f1c5ed42f982310502a92b464db5e11f],
PUP.Optional.MediaBuzz.A, C:\Program Files\MediaBuzzV1\MediaBuzzV1mode184\ie, Quarantined, [f1c5ed42f982310502a92b464db5e11f],

Files: 40
PUP.Optional.SearchProtect.A, C:\$Recycle.Bin\S-1-5-21-1356086910-1688970129-882340383-1000\$RJ8TPFW.exe, Quarantined, [1d9974bbc2b956e00aaaaa7b649d0000],
PUP.Optional.Amonetize.A, C:\$Recycle.Bin\S-1-5-21-1356086910-1688970129-882340383-1000\$RAMHISX.exe, Quarantined, [1d99a788364559dd114b003cc23e27d9],
PUP.Optional.Conduit.A, C:\$Recycle.Bin\S-1-5-21-1356086910-1688970129-882340383-1000\$RV4GRK0.exe, Quarantined, [e8cea48b28531e183630d2317f82867a],
PUP.Optional.SearchProtect.A, C:\$Recycle.Bin\S-1-5-21-1356086910-1688970129-882340383-1000\$R4664A6.exe, Quarantined, [12a489a644375ed8a014ba6bde23d927],
PUP.Optional.Conduit, C:\$Recycle.Bin\S-1-5-21-1356086910-1688970129-882340383-1000\$R6B11SE.exe, Quarantined, [219509261962ce68050c3c2044c030d0],
PUP.Optional.Conduit, C:\$Recycle.Bin\S-1-5-21-1356086910-1688970129-882340383-1000\$RU2QC4Z.exe, Quarantined, [526467c87605ff3768a93626a262b64a],
PUP.Optional.SearchProtect.A, C:\$Recycle.Bin\S-1-5-21-1356086910-1688970129-882340383-1000\$RUALILV.exe, Quarantined, [feb8b57ad5a6b97d823258cdac554db3],
PUP.Optional.SearchProtect.A, C:\$Recycle.Bin\S-1-5-21-1356086910-1688970129-882340383-1000\$RUNE8SR.exe, Quarantined, [8036bf7043382610328205200001c23e],
PUP.Optional.Conduit.A, C:\$Recycle.Bin\S-1-5-21-1356086910-1688970129-882340383-1000\$RZXNMHN.exe, Quarantined, [4670d55a1764082e317253c7b74a46ba],
PUP.Optional.Conduit.A, C:\$Recycle.Bin\S-1-5-21-1356086910-1688970129-882340383-1000\$R32SE0Q\spidentifierimpl.exe, Quarantined, [76402a054e2d7eb84e554fcb3ac78878],
PUP.Optional.Conduit.A, C:\$Recycle.Bin\S-1-5-21-1356086910-1688970129-882340383-1000\$R4FKMTK\SpSetup.exe, Quarantined, [2d89a18ea1daad89d1d2dd3df70a0df3],
PUP.Optional.Conduit.A, C:\$Recycle.Bin\S-1-5-21-1356086910-1688970129-882340383-1000\$RBR97MZ\ctbe.exe, Quarantined, [11a53cf3fb80c472cd8647f0fc04e719],
PUP.Optional.Conduit.A, C:\$Recycle.Bin\S-1-5-21-1356086910-1688970129-882340383-1000\$RBR97MZ\mamstub.exe, Quarantined, [dfd70728e4974cea0e58a85bba476f91],
PUP.Optional.Conduit.A, C:\$Recycle.Bin\S-1-5-21-1356086910-1688970129-882340383-1000\$RBR97MZ\mam_ie.exe, Quarantined, [694d79b6f48716201e514025ff0210f0],
PUP.Optional.ZombieAlert.A, C:\Windows\System32\Websteroids.B324755F3F87.dll, Quarantined, [6b4bab84d2a982b42e529293966ee917],
PUP.Optional.Outbrowse, C:\Users\Owner\Downloads\Setup (1).exe, Quarantined, [52643ef1017a4de9cf945370659e8779],
PUP.Optional.Outbrowse, C:\Users\Owner\Downloads\Setup (2).exe, Quarantined, [c0f6cd6299e243f3e67d4b78986ba55b],
PUP.Optional.Outbrowse, C:\Users\Owner\Downloads\Setup.exe, Quarantined, [31852e01cfaca69070f3e3e0fb0804fc],
PUP.Optional.DomalQ, C:\Users\Owner\Downloads\itunes (1).exe, Quarantined, [01b544eb80fb92a4c2555eaf887c59a7],
PUP.Optional.DomalQ, C:\Users\Owner\Downloads\itunes (2).exe, Quarantined, [e8cec16e116a9e98e23555b87094f30d],
PUP.Optional.DomalQ, C:\Users\Owner\Downloads\itunes.exe, Quarantined, [d0e64ce3bdbea49214038f7ed62e728e],
PUP.Optional.Amonetize.A, C:\Users\Owner\AppData\Local\0c1ff540-ba23-4905-0dc8-c948e9380bb4\0c1ff540-ba23-4905-0dc8-c948e9380bb4.exe, Quarantined, [358179b6ea9144f27131fa3fb94741bf],
PUP.Optional.Websteroids.A, C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_d.websteroidsapp.com_0.localstorage, Quarantined, [981e30ff2754d660102b2950758d8779],
PUP.Optional.Websteroids.A, C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_d.websteroidsapp.com_0.localstorage-journal, Quarantined, [704632fd83f8f83eb784c4b53ec4649c],
PUP.Optional.Websteroids.A, C:\ProgramData\Websteroids\app.dat, Quarantined, [10a68ea1fa8100361df94742738f649c],
PUP.Optional.Websteroids.A, C:\ProgramData\Websteroids\data.dat, Quarantined, [10a68ea1fa8100361df94742738f649c],
PUP.Optional.Websteroids.A, C:\ProgramData\Websteroids\Uninstall.exe, Quarantined, [10a68ea1fa8100361df94742738f649c],
PUP.Optional.Websteroids.A, C:\ProgramData\Websteroids\Websteroids.exe, Quarantined, [10a68ea1fa8100361df94742738f649c],
PUP.Optional.Websteroids.A, C:\ProgramData\Websteroids\Websteroids.exe.config, Quarantined, [10a68ea1fa8100361df94742738f649c],
PUP.Optional.Websteroids.A, C:\ProgramData\Websteroids\Websteroids.ico, Quarantined, [10a68ea1fa8100361df94742738f649c],
PUP.Optional.Websteroids.A, C:\ProgramData\Websteroids\WebsteroidsService.exe, Quarantined, [10a68ea1fa8100361df94742738f649c],
PUP.Optional.Websteroids.A, C:\ProgramData\Websteroids\WebsteroidsService.exe.config, Quarantined, [10a68ea1fa8100361df94742738f649c],
PUP.Optional.MediaBuzz.A, C:\Program Files\MediaBuzzV1\MediaBuzzV1mode184\ch\MediaBuzzV1mode184.crx, Quarantined, [f1c5ed42f982310502a92b464db5e11f],
PUP.Optional.MediaBuzz.A, C:\Program Files\MediaBuzzV1\MediaBuzzV1mode184\ff\chrome.manifest, Quarantined, [f1c5ed42f982310502a92b464db5e11f],
PUP.Optional.MediaBuzz.A, C:\Program Files\MediaBuzzV1\MediaBuzzV1mode184\ff\install.rdf, Quarantined, [f1c5ed42f982310502a92b464db5e11f],
PUP.Optional.MediaBuzz.A, C:\Program Files\MediaBuzzV1\MediaBuzzV1mode184\ff\chrome\content\ffMediaBuzzV1mode184.js, Quarantined, [f1c5ed42f982310502a92b464db5e11f],
PUP.Optional.MediaBuzz.A, C:\Program Files\MediaBuzzV1\MediaBuzzV1mode184\ff\chrome\content\ffMediaBuzzV1mode184ffaction.js, Quarantined, [f1c5ed42f982310502a92b464db5e11f],
PUP.Optional.MediaBuzz.A, C:\Program Files\MediaBuzzV1\MediaBuzzV1mode184\ff\chrome\content\overlay.xul, Quarantined, [f1c5ed42f982310502a92b464db5e11f],
PUP.Optional.MediaBuzz.A, C:\Program Files\MediaBuzzV1\MediaBuzzV1mode184\ff\chrome\content\icons\Thumbs.db, Quarantined, [f1c5ed42f982310502a92b464db5e11f],
PUP.Optional.MediaBuzz.A, C:\Program Files\MediaBuzzV1\MediaBuzzV1mode184\ff\chrome\content\icons\default\MediaBuzzV1mode184_32.png, Quarantined, [f1c5ed42f982310502a92b464db5e11f],

Physical Sectors: 0
(No malicious items detected)


(end)

Hobo

Rookie Surfer
Rookie Surfer

Posts : 80
Joined : 2009-04-14
Operating System : Win 7

View user profile

Back to top Go down

Re: Websteroids, Search Protect, et al

Post by Pancake on Tue 29 Apr 2014, 9:13 am

Let do one more scan....This should have improved now.

I'd like you to scan your machine with ESET OnlineScan

(1) Click on the following link to open ESET OnlineScan in a new window. [You must be registered and logged in to see this link.]
(2) Click the ESET OnlineScanner button.


Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the ESET Smart Installer icon on your desktop.

Click the Start button.
Accept any security warnings from your browser.
Check Scan Archives
Click the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push List of found threats
Click Export to text file, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Click the Back button.
Click Finish








Home Town Web Page

Pancake

Tech Staff
Tech Staff

Posts : 222
Joined : 2010-03-06
Operating System : Windows 7

View user profile

Back to top Go down

Re: Websteroids, Search Protect, et al

Post by Hobo on Wed 30 Apr 2014, 9:10 am

ESET

C:\$Recycle.Bin\S-1-5-21-1356086910-1688970129-882340383-1000\$R32SE0Q\software\OptimizerPro.exe Win32/SpeedingUpMyPC.I application cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1356086910-1688970129-882340383-1000\$RMP6RQL\setup.exe multiple threats cleaned by deleting - quarantined

Hobo

Rookie Surfer
Rookie Surfer

Posts : 80
Joined : 2009-04-14
Operating System : Win 7

View user profile

Back to top Go down

Re: Websteroids, Search Protect, et al

Post by Pancake on Wed 30 Apr 2014, 10:24 am

OK.Good.I think we can cut you loose now.  


Ok.All done.Congratulations, well done.

You can now uninstall ComboFix


  • Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  • In the field, type in ComboFix /uninstall



(Note: Make sure there's a space between the word ComboFix and the forward-slash.)


  • Then, press Enter, or click OK.
  • This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.








Home Town Web Page

Pancake

Tech Staff
Tech Staff

Posts : 222
Joined : 2010-03-06
Operating System : Windows 7

View user profile

Back to top Go down

Re: Websteroids, Search Protect, et al

Post by Hobo on Wed 30 Apr 2014, 11:33 am

Thank you very much - again.

Hobo

Rookie Surfer
Rookie Surfer

Posts : 80
Joined : 2009-04-14
Operating System : Win 7

View user profile

Back to top Go down

Re: Websteroids, Search Protect, et al

Post by Pancake on Wed 30 Apr 2014, 1:04 pm

Your welcome.






Home Town Web Page

Pancake

Tech Staff
Tech Staff

Posts : 222
Joined : 2010-03-06
Operating System : Windows 7

View user profile

Back to top Go down

Re: Websteroids, Search Protect, et al

Post by Sponsored content Today at 6:08 pm


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum