Webssearches

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by robboemma, Dec 12, 2014.

Page 1 of 2
  1. robboemma

    robboemma Private E-2

    Webbsearches seems to have taken over Internet Explorer and Chrome.

    In addition to this I have new 'pop ups' appearing. It is all unwanted and has not been downloaded.

    To the best of my knowledge I (or my family) have not recently been on any strange download or torrent sites (having had troubles previously with torrent downloads

    Problems started several (3-4ish weeks ago I think)

    Help gratefully appreciated.

    I have done the RUN & READ ME instructions. Logs attached.

    Thank you in advance :)

    PS Hitman Pro file too large. Will try and attach it in a second post.
     

    Attached Files:

    robboemma, Dec 12, 2014
    #1
  2. robboemma

    robboemma Private E-2

    Hitman Pro file of 455kb exceeds forum limit. Please advise.
     
    robboemma, Dec 12, 2014
    #2
  3. robboemma

    robboemma Private E-2

    Copied and pasted it into Notepad. Hopefully you can use this?

    File attached.
     

    Attached Files:

    robboemma, Dec 12, 2014
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Are you deliberately set up to use a proxy?
     
    Kestrel13!, Dec 13, 2014
    #4
  5. robboemma

    robboemma Private E-2

    No, I am not. I don't really know what a proxy is.

    I tried to change the settings of start up pages to Google but it keeps going to webssearches.
     
    robboemma, Dec 13, 2014
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi Robboemma, sorry for the delay, I've been out all day.

    Re run Hitman Pro and have it remove all that it finds.


    [​IMG] Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:

    • [PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C} -> Found
    • [PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    • [PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    • [PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    • [PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    • [PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:54322;https=127.0.0.1:54322 -> Found
    • [PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:54322;https=127.0.0.1:54322 -> Found
    • [PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:54322;https=127.0.0.1:54322 -> Found
    • [PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:54322;https=127.0.0.1:54322 -> Found
    • [PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://istart.webssearches.com/?typ...from=irs&uid=ST9750420AS_6WS24GYQXXXX6WS24GYQ /verysilent /hideuninstall -> Found
    • [PUM.HomePage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://istart.webssearches.com/?typ...from=irs&uid=ST9750420AS_6WS24GYQXXXX6WS24GYQ /verysilent /hideuninstall -> Found
    • [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1255949861-2777176875-3314495166-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://istart.webssearches.com/?typ...from=irs&uid=ST9750420AS_6WS24GYQXXXX6WS24GYQ /verysilent /hideuninstall -> Found
    • [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1255949861-2777176875-3314495166-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://istart.webssearches.com/?typ...from=irs&uid=ST9750420AS_6WS24GYQXXXX6WS24GYQ /verysilent /hideuninstall -> Found
    • [PUM.SearchPage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Search Page : http://istart.webssearches.com/web/...from=irs&uid=ST9750420AS_6WS24GYQXXXX6WS24GYQ /verysilent /hideuninstall&q={searchTerms} -> Found
    • [PUM.SearchPage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Search Page : http://istart.webssearches.com/web/...from=irs&uid=ST9750420AS_6WS24GYQXXXX6WS24GYQ
    Place a checkmark next to each of these items, leave the others unchecked.
    Now press the Delete button.

    ...and the same fo these items on the "Tasks" tab please...

    • [Suspicious.Path] Digital Sites.job -- C:\Users\THEROB~1\AppData\Roaming\DIGITA~1\UPDATE~1\UPDATE~1.EXE (/Check) -> Found
    • [Suspicious.Path] \\Digital Sites -- C:\Users\THEROB~1\AppData\Roaming\DIGITA~1\UPDATE~1\UPDATE~1.EXE (/Check) -> Found
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.



    [​IMG] Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.



    Please download AdwCleaner by Xplode and save to your Desktop.

    • Double click on AdwCleaner.exe to run the tool.
    • Vista/Windows 7/8 users right-click and select Run As Administrator
    • Click on the Scan button.
    • AdwCleaner will begin...be patient as the scan may take some time to complete.
    • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
    • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
    • Attach the logfile to your next next reply.
    • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.




    Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

    • cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
    • nwktst<-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    • GRK64 <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    • SN64 <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.


    • Attach the new MGlogs.zip
    • Also re run RogueKiller (just a scan) and attach log.
    • Explain how things are running.
     
    Kestrel13!, Dec 13, 2014
    #6
  7. robboemma

    robboemma Private E-2

    Awesome.... I've followed the steps and reset Chrome's startup settings to Google and it seems to have worked - it's not going to Webssearches now!!!

    1. Hitman Pro: ran fine, appeared to delete everything,

    2. Rogue Killer: Managed to delete all of the Registry baddies except for the first one on the list - "PUP..." as it didn't appear in the list following the scan,
    nor were any of the ones under the "Tasks" tab called "Digital Sites",

    3. JRT: ran fine,

    4. AdwCleaner: ran fine,

    5. CMD: all ran fine with no error messages.

    Laptop seems to be OK but still seems to be running slow (seems a bit clunky). Maybe I need to do the MG "how to speed up your computer" steps??

    Haven't used the laptop throughout this process (even banned the kids!!!) but haven't experienced any more popups with what I have done.

    The following logs attached as requested:
    RKRoport [2] from first run
    JRT
    AdwCleanerR0
    MGlogs
    RGReport from final scan

    Thank you :) Very grateful for Major Geeks help again :heart
     

    Attached Files:

    robboemma, Dec 14, 2014
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Glad things seem to be running better. However the proxy is still in place. I have just noticed that you are running more than one antivirus!!

    • AVG 2013
    • Avira Free Antivirus
    • Avira

    You need to uninstall AVG 2013 as it's out of date. In fact, for now I need you to uninstall ALL traces of any antivirus because I suspect it's blocking my fix and leaving the proxy there still...

    Once uninstalled, rerun RogueKiller, choose to remove the proxy entries as shown previously. Then rescan again and attach both logs.

    Then do this: Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Dec 14, 2014
    #8
  9. robboemma

    robboemma Private E-2

    Hi Kestrel!

    I have followed the instructions:

    1. Uninstalled Avira. I couldn't find AVG 2013 but I uninstalled the only thing on here by AVG Technologies.

    2. Ran Rogue Killer - tried to delete all of the proxy ones but got error messages (see screen shot attached)

    3. Re-ran Rogue Killer - all proxy ones seemed to have gone. Both RK logs attached.

    4. Ran MGLogs. Zip file attached.

    Please can you suggest a free anti-virus to install once the computer is fully fixed?

    Thanks again
     

    Attached Files:

    robboemma, Dec 16, 2014
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Delete this: C:\ProgramData\IHProtectUpDate

    AVG 2013 still showing, let's do this...

    Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

    • cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
    • GetUnKey<-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    • GetRunKey <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    Now look for the C:\MGlogs.zip file and attach it no matter what happened while doing the above.
     
    Last edited: Dec 17, 2014
    Kestrel13!, Dec 17, 2014
    #10
  11. robboemma

    robboemma Private E-2

    I have followed your latest instructions:

    1. C:\ProgramData\IHProtectUpDate successfully deleted,
    2. Error messages when doing the cmd bit. Screenprints attached,
    2. MGlogs.zip attached.

    Ongoing Thanks :)
     

    Attached Files:

    robboemma, Dec 17, 2014
    #11
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi. :) I want you to download and run the avg removal tool.

    Then do this:

    Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Dec 17, 2014
    #12
  13. robboemma

    robboemma Private E-2

    I have done the avg removal tool.

    Upon reboot I got the message that is shown in the attached jpeg - I clicked 'cancel'???!

    MGlogs attached.
     

    Attached Files:

    robboemma, Dec 17, 2014
    #13
  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Sigh... incomplete MGlogs.zip again. Do this:

    Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

    • cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
    • nwktst<-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    • GRK64 <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    • SN64 <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.

    Attach the new MGlogs.zip
     
    Kestrel13!, Dec 17, 2014
    #14
  15. robboemma

    robboemma Private E-2

    All done! Appeared to run fine, MGlogs.zip attached.

    Was I right to click cancel on the reboot after running the avg removal tool?
     

    Attached Files:

    robboemma, Dec 18, 2014
    #15
  16. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Right, now that worked. You need to install some antivirus now. Then explain again to me how things are running. :)
     
    Kestrel13!, Dec 18, 2014
    #16
  17. robboemma

    robboemma Private E-2

    I am trying to download Avira Free (as I had before) and I keep getting a connection error - image attached - however internet connection appears to be fine on ordinary websites.

    Please advise?

    Can you recommend a different antivirus that may work? Don't really want to go back to AVG after the struggle with removing it recently???

    Thanks :)
     

    Attached Files:

    robboemma, Dec 18, 2014
    #17
  18. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    This can be further discussed in the software forum. :) Are you having any more malware issues? :confused
     
    Kestrel13!, Dec 18, 2014
    #18
  19. robboemma

    robboemma Private E-2

    SO ANNOYING!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    So, I downloaded Avast Free which worked fine.

    Uninstalled whatever was on here from Avira that wasn't working.

    When rebooting I have been getting (and ignoring) a request to update something (can't remember exactly what it said but think it was for Microsoft Office Starter which is installed on the Laptop)

    and WEBSSEARCHES is back :cry

    Have run RogueKiller, Hitman Pro and Getlogs in anticipation.... logs attached.
     

    Attached Files:

    robboemma, Dec 19, 2014
    #19
  20. robboemma

    robboemma Private E-2

    To clarify - I clicked to install the update.... could it be this that is evil??

    It is that only thing I have done on the laptop other than search for (google) and install Avast.
     
    robboemma, Dec 19, 2014
    #20
  21. robboemma

    robboemma Private E-2

    It seemed Getlogs hadn't finished running when I posted the logs before. The attached just appeared on my desktop.
     

    Attached Files:

    robboemma, Dec 19, 2014
    #21
  22. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode, if you haven't done so already.


    [​IMG] Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:

    • [PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    • [PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    • [PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    • [PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    • [PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:54322;https=127.0.0.1:54322 -> Found
    • [PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:54322;https=127.0.0.1:54322 -> Found
    • [PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:54322;https=127.0.0.1:54322 -> Found
    • [PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:54322;https=127.0.0.1:54322 -> Found
    • [PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://istart.webssearches.com/?typ...from=irs&uid=ST9750420AS_6WS24GYQXXXX6WS24GYQ /verysilent /hideuninstall -> Found
    • [PUM.HomePage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://istart.webssearches.com/?typ...from=irs&uid=ST9750420AS_6WS24GYQXXXX6WS24GYQ /verysilent /hideuninstall -> Found
    • [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1255949861-2777176875-3314495166-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://istart.webssearches.com/?typ...from=irs&uid=ST9750420AS_6WS24GYQXXXX6WS24GYQ /verysilent /hideuninstall -> Found
    • [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1255949861-2777176875-3314495166-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://istart.webssearches.com/?typ...from=irs&uid=ST9750420AS_6WS24GYQXXXX6WS24GYQ /verysilent /hideuninstall -> Found
    • [PUM.SearchPage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Search Page : http://istart.webssearches.com/web/...from=irs&uid=ST9750420AS_6WS24GYQXXXX6WS24GYQ /verysilent /hideuninstall&q={searchTerms} -> Found
    • [PUM.SearchPage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Search Page : http://istart.webssearches.com/web/...from=irs&uid=ST9750420AS_6WS24GYQXXXX6WS24GYQ /verysilent /hideuninstall&q={searchTerms} -> Found

    Place a checkmark next to each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.


    Delete this.. (I thought you did previously)

    • C:\ProgramData\IHProtectUpDate

    Which browser are you currently using? Perhaps you need to install a pop up blocker...


    Now re run RogueKiller and attach the new log.
     
    Kestrel13!, Dec 19, 2014
    #22
  23. robboemma

    robboemma Private E-2

    Ran MSconfig - machine was already in Normal Startup mode

    Ran Rogue killer. It only found the PUMProxy ones - not the PUMhomepage or PUMsearchpage ones. Got errors (see attached log)

    I did delete IHProtectUpDate. It reappears when I reboot - found 3 copies of it in my recycle bin. Deleted again and emptied the bin.

    Re-ran Rogue Killer - log attached.

    You didn't ask me to uninstall my new anti-virus software so that is still running.

    I am using Chrome for my internet explorer.

    While I was writing this post I got the Microsoft Office Starter update prompt again. Screenshot attached. Other than install the new anti-virus I clicked to run this update. Could it be suspicious (as webssearches reappeared after I did this) or is it perfectly innocent?
     

    Attached Files:

    robboemma, Dec 20, 2014
    #23
  24. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You need to install a pop up blocker suitable for Google Chrome!

    Uninstall your antivirus and rerun the RogueKilelr fix to try and kill those proxy entries. Then rescan the same way you did before, so I can see what RK still sees.... attach logs.
     
    Kestrel13!, Dec 20, 2014
    #24
  25. robboemma

    robboemma Private E-2

    Installed Simple Adblocks extension to Chrome

    Uninstalled Avast anti-virus

    Rebooted

    Ran Rogue Killer - before and after logs attached - still have errors

    That IHProtectUpDate folder has reappeared again.
     

    Attached Files:

    robboemma, Dec 21, 2014
    #25
  26. robboemma

    robboemma Private E-2

    Also... when I shut down, the laptop seems to be installing updates nearly everyother day which seems to be a bit too regularly to me.....?
     
    robboemma, Dec 21, 2014
    #26
  27. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I can't see what changes have occurred. Re scan with RogueKiller once more and attach log.
     
    Kestrel13!, Dec 21, 2014
    #27
  28. robboemma

    robboemma Private E-2

    Re-scanned, attempted to delete Proxy ones - again with errors, re-attached logs
     

    Attached Files:

    robboemma, Dec 21, 2014
    #28
  29. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    So...when you rescan again does it STILL find proxy entries?
     
    Kestrel13!, Dec 21, 2014
    #29
  30. robboemma

    robboemma Private E-2

    Yes it is still finding proxy entries. I have just run another scan and they are still there. I have attached screen shots in case they're any help...
     

    Attached Files:

    robboemma, Dec 22, 2014
    #30
  31. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.





    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    • Now re run Malware Bytes and let it fix anything it may find.
    • Rescan with Hitman Pro and attach the new log (Do not fix anything yet)
    • Also rescan with RogueKiller and attach log.

    Then finally...

    Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Dec 22, 2014
    #31
  32. robboemma

    robboemma Private E-2

    Created FixME.reg as described. It didn't run - I got an error message. Screenshot attached.

    Ran MalwareBytes - Quarantined all it found.

    Ran Hitman Pro - Log attached

    Ran RogueKiller - it didn't find as many Proxy entries as last time - log attached.

    MGlogs also attached as requested
     

    Attached Files:

    robboemma, Dec 22, 2014
    #32
  33. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Let Hitman fix what it finds.

    Then rescan with RK ... does it still find proxy entries?
     
    Kestrel13!, Dec 23, 2014
    #33
  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    @Kestrel13!
    You need to taylor the fix per the user account SID ast stated in my instructions. ;) Also antivirus programs need to be off and many times uninstalled.
     
    Last edited: Dec 23, 2014
    chaslang, Dec 23, 2014
    #34
  35. robboemma

    robboemma Private E-2

    There is no anti-virus installed at the moment

    Ran Hitman - it found nothing - log attached

    Had to download a new version of Rogue Killer as it said it was out of date when I fired it up.
    Ran new RK - Proxy entries found. Log attached.
    Attempted to delete proxy entries again - it said "replaced". Log attached.

    Don't understand any of what Chaslang said!!
     

    Attached Files:

    robboemma, Dec 23, 2014
    #35
  36. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi Chas, I couldn't see where you'd posted in this thread except the last post you made, so don't know what you mean by your instructions.

    I do not know which user account these entries belong to.

    • [PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    • [PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found

    Obviously a different account to the one I'm working on, correct?
     
    Kestrel13!, Dec 23, 2014
    #36
  37. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    In the Fighter's Forum in one of the threads about proxy issues. ;)
    And I'm not referring to the S-1-5-18 number. I'm referring to the User SID which is much longer and shows in multiple logs of MGtools. Ex: In newfiles.txt and in userinfo.txt

    Also I saw the below in the last MGlogs.zip which need to be questioned at a minimum:

    C:\Program Files (x86)\STab\cmdshell.exe
    C:\Program Files (x86)\STab\HPNotify.exe
    O23 - Service: IHProtect Service - TODO: <Company name> - C:\Program Files (x86)\STab\ProtectService.exe

    Some think these are malware and some do not. I do not see where anything named STab or Todo are installed, so what are these.
     
    Last edited: Dec 23, 2014
    chaslang, Dec 23, 2014
    #37
  38. robboemma

    robboemma Private E-2

    Hi Kestrel and Chas,

    Merry Christmas geeks!!

    Many thanks for you ongoing support :grouphug

    The Robinsons xx
     
    robboemma, Dec 24, 2014
    #38
  39. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Merry Christmas to you too!!

    What are these, do you have any ideas if you installed them to begin with, if they should be there, whether or not you knew they were there?

    • C:\Program Files (x86)\STab\cmdshell.exe
    • C:\Program Files (x86)\STab\HPNotify.exe
    • O23 - Service: IHProtect Service - TODO: <Company name> - C:\Program Files (x86)\STab\ProtectService.exe
     
    Kestrel13!, Dec 24, 2014
    #39
  40. robboemma

    robboemma Private E-2

    No, I don't recognise what any of that could be.

    My daughter has a Leap Pad but I don't see that that could appear as STab
     
    robboemma, Dec 24, 2014
    #40
  41. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hang in there, I am consulting with Chaslang. Not forgotton you. :)
     
    Kestrel13!, Dec 26, 2014
    #41
  42. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I believe it is the below and should be removed.

    http://www.shouldiremoveit.com/SupTab-124251-program.aspx

    http://www.systemlookup.com/Drivers/10792-ProtectService_exe.html


    The USER SID seen in newfiles.txt for user name The Robinsons is below:

    Username: THEROBINSONS-PC\The Robinsons
    SID: S-1-5-21-1255949861-2777176875-3314495166-1001


    You can also see this in userinfo.txt where the below lines show:

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-1255949861-2777176875-3314495166-1001
    ProfileImagePath REG_EXPAND_SZ C:\Users\The Robinsons

    Therefore in the previous registry patch the below was not the correct user SID
    The registry patch should have been as below:
     
    Last edited: Dec 27, 2014
    chaslang, Dec 27, 2014
    #42
  43. robboemma

    robboemma Private E-2

    Should I copy Chas's thing below into a FixME.reg and run that like before?

    Awaiting instruction :)
     
    robboemma, Dec 27, 2014
    #43
  44. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'll keep you moving along while Kestrel13! is not around. ;)

    Uninstall the below programs. If you do not find them or they will not uninstall, just keep going.
    Java(TM) 7 Update 5


    Now install the current version of Sun Java from:
    Make sure that when you install the new version of Java that you uncheck the Install the Ask Toolbar junkware checkbox. Also if it asks if you want to install McAfee Security Scan Plus that you uncheck this too. You do not need to add these unncessary items and to your PC. Also just in case Oracle changes the Java installation in the future to possibly install other junk, uncheck all but just installing Java.


    Please download OTM by Old Timer and save it to your Desktop.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe

:Services
IHProtect Service

 
:Files
C:\Program Files (x86)\STab\cmdshell.exe
C:\Program Files (x86)\STab\HPNotify.exe
C:\Program Files (x86)\STab
C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1255949861-2777176875-3314495166-1001Core.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1255949861-2777176875-3314495166-1001UA.job
C:\ProgramData\Avira
C:\ProgramData\IHProtectUpDate
C:\Windows\TEMP\*.*
C:\Users\The Robinsons\AppData\Local\Temp\*.*


:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000000
"ProxyOverride"=-
"ProxyServer"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-
[HKEY_USERS\S-1-5-21-1255949861-2777176875-3314495166-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000000
"ProxyOverride"=-
"ProxyServer"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000000
"ProxyOverride"=-
"ProxyServer"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NlaSvc\Parameters\Internet\ManualProxies]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet\ManualProxies]
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings"=-
"SavedLegacySettings"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxySettingsPerUser"=dword:00000000
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ApnUpdater]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Google Update]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now run a new scan with RogueKiller and save a new log.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRogueKiller log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Dec 27, 2014
    #44
  45. robboemma

    robboemma Private E-2

    Successfully uninstalled Java(TM) 7 Update 5. I could also see JavaFX 2.1.1 but I didn't uninstall this as you did not ask me to.

    Installed new version of Sun Java. It did not offer me a form to uncheck boxes relating to McAfee scan or ASK toolbar however it doesn't appear to have installed these.

    Ran the code in OTM. Log attached.

    Ran Rogue Killer = no PUPs!!! :)

    Ran GetLogs. MGlogs.zip attached.

    Reset Chrome to default to Google and there is currently no sign of Webssearches reappearing!!

    Surfed the internet for 15 mins - all seemed fine.
     

    Attached Files:

    robboemma, Dec 28, 2014
    #45
  46. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi. :)

    The logs look good. Chaslang has as usual done an excellent clean up job. (Thanks Chas!!) Ready for final steps?
     
    Kestrel13!, Dec 28, 2014
    #46
  47. robboemma

    robboemma Private E-2

    Yes please :-( !!! :major
     
    robboemma, Dec 28, 2014
    #47
  48. robboemma

    robboemma Private E-2

    That meant to be.... Yes Please :) !!! Definitely a happy face!
     
    robboemma, Dec 29, 2014
    #48
  49. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Ok! And again, thankyou Chaslang!

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove them, you can delete these files now.
    7. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
    Kestrel13!, Dec 29, 2014
    #49
  50. robboemma

    robboemma Private E-2

    Wonderful! Thanking you both very much :) Have a happy new year!!! x
     
    robboemma, Dec 29, 2014
    #50
Page 1 of 2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds