Jump to content

Removal instructions for SupTab


Recommended Posts

  • Staff

What is SupTab?

The Malwarebytes research team has determined that SupTab is actually a very common mix of programs designed to hijack your browser(s) and stop you from changing the settings back.

These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. In this case the hijack was to isearch.omiga-plus.com. This one also displays advertisements.

Typically you will see a mix of detections: PUP.Optional.SupTab.A, PUP.Optional.OmigaPlus.A, PUP.Optional.WindowsProtectManger.A, PUP.Optional.XTab.A, PUP.Optional.IHProtect.A, PUP.Optional.FastStart.A and more.

How do I know if my computer is affected by SupTab?

You may see these browser add-ons:

warning1.png

warning2.png

and this icon in your taskbar:

icons.png

How did SupTab get on my computer?

Browser hijackers use different methods for distributing themselves. This particular one was bundled with other software.

trick.png

How do I remove SupTab?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.

  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-version.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to the following:
    • Enable free trial of Malwarebytes Anti-Malware Premium
    • Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • If an update is found, you will be prompted to download and install the latest version.
  • Once the program has loaded, select Scan now. Or select the Threat Scan from the Scan menu.
  • When the scan is complete , make sure that everything is set to "Quarantine", and click Apply Actions.
  • Reboot your computer if prompted.
Is there anything else I need to do to get rid of SupTab?
  • If you are using Chrome and/or Firefox, this hijacker alters the shortcuts for Chrome, Firefox and Internet Explorer on your desktop, in the taskbar and in the Startmenu Programs. Read here how to clean your shortcuts.
  • If you are using Chrome you may want to use the Reset all settings button after changing the shortcuts.

    settingsChrome.png

    This will save you some time resetting the home-page and search settings.

How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this hijacker.

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the SupTab hijacker. It would have warned you before the rogue could install itself, giving you a chance to stop it before it became too late.

protection1.png

Technical details for experts

Signs in a HijackThis log:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://isearch.omiga-plus.com/R0'>http://isearch.omiga-plus.com/R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://isearch.omiga-plus.com/R1'>http://isearch.omiga-plus.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://isearch.omiga-plus.com/R1'>http://isearch.omiga-plus.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://isearch.omiga-plus.com/web/&q={searchTerms}R1'>http://isearch.omiga-plus.com/web/&q={searchTerms}R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://isearch.omiga-plus.com/web/&q={searchTerms}R0'>http://isearch.omiga-plus.com/web/&q={searchTerms}R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://isearch.omiga-plus.com/O2'>http://isearch.omiga-plus.com/O2 - BHO: IETabPage Class - {3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C} - C:\Program Files\XTab\SupTab.dllO23 - Service: IHProtect Service - XTab system - C:\Program Files\XTab\ProtectService.exeO23 - Service: WindowsMangerProtect Service (WindowsMangerProtect) - SysTool PasSame LIMITED - C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe

You may see these entries in a FRST log:

 () C:\Users\{username}\AppData\Local\Temp\Wtmp304868\tmp\CrashReport_v6.2.7601.775.exe (SysTool PasSame LIMITED) C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe (XTab system) C:\Program Files\XTab\ProtectService.exe (SearchProtect) C:\Program Files\XTab\CmdShell.exe (XTab system) C:\Program Files\XTab\HPNotify.exe HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://isearch.omiga-plus.com/ HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://isearch.omiga-plus.com/web/q={searchTerms} HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://isearch.omiga-plus.com/ HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://isearch.omiga-plus.com/web/q={searchTerms} HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://isearch.omiga-plus.com/ HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://isearch.omiga-plus.com/ SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://isearch.omiga-plus.com/web/q={searchTerms} SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://isearch.omiga-plus.com/web/&q={searchTerms} SearchScopes: HKCU -> DefaultScope {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = http://isearch.omiga-plus.com/web/&q={searchTerms} SearchScopes: HKCU -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://isearch.omiga-plus.com/web/&q={searchTerms} SearchScopes: HKCU -> {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = http://isearch.omiga-plus.com/web/&q={searchTerms} SearchScopes: HKCU -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://isearch.omiga-plus.com/web/&q={searchTerms} SearchScopes: HKCU -> {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL = http://isearch.omiga-plus.com/web/&q={searchTerms} BHO: IETabPage Class -> {3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C} -> C:\Program Files\XTab\SupTab.dll (Thinknice Co. Limited) FF NewTab: hxxp://isearch.omiga-plus.com/newtab/ FF DefaultSearchEngine: omiga-plus FF SelectedSearchEngine: omiga-plus FF Homepage: hxxp://isearch.omiga-plus.com/ FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835\extensions\74979c91-c812-44d6-90e1-1ff0491351e5@e3e0c78c-dd15-4ac4-b6a0-08cad184bd23.com [Not Found] FF user.js: detected! => C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835\user.js FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\omiga-plus.xml FF Extension: Fast Start - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835\Extensions\faststartff@gmail.com [2015-02-07] FF HKLM\...\Firefox\Extensions: [faststartff@gmail.com] - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835\extensions\faststartff@gmail.com StartMenuInternet: Google Chrome - C:\Program Files\Google\Chrome\Application\chrome.exe http://isearch.omiga-plus.com/ StartMenuInternet: (HKLM) OperaStable - C:\Program Files\Opera\Launcher.exe http://isearch.omiga-plus.com/ R2 IHProtect Service; C:\Program Files\XTab\ProtectService.exe [158896 2015-01-16] (XTab system) R2 WindowsMangerProtect; C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe [487056 2015-02-07] (SysTool PasSame LIMITED) () C:\ProgramData\IHProtectUpDate () C:\Program Files\XTab () C:\ProgramData\WindowsMangerProtect () C:\Users\Public\Desktop\Google Chrome.lnk () C:\Users\{username}\Desktop\iexplore.lnk () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk () C:\Users\Public\Desktop\Mozilla Firefox.lnk () C:\Program Files\Mozilla Firefox () C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk C:\Users\{username}\AppData\Local\Temp\Runner2.exe C:\Users\{username}\AppData\Local\Temp\Runner4.exe C:\Users\{username}\AppData\Local\Temp\smarter.exe
Alterations made by the installer:

File system details  ---------------------------------------------    In the existing folder C:\Program Files\Mozilla Firefox\browser\searchplugins       Adds the file omiga-plus.xml"="2/7/2015 12:37 PM, 569 bytes, A    Adds the folder C:\Program Files\XTab       Adds the file BrowerWatchCH.dll"="1/16/2015 9:45 AM, 23728 bytes, A       Adds the file BrowerWatchFF.dll"="1/16/2015 9:45 AM, 23728 bytes, A       Adds the file BrowserAction.dll"="1/15/2015 3:27 AM, 1720320 bytes, A       Adds the file CmdShell.exe"="1/16/2015 9:45 AM, 48304 bytes, A       Adds the file conf"="2/7/2015 12:39 PM, 486 bytes, A       Adds the file ffsearch_toolbar!1.0.0.1025.xpi"="12/31/2014 4:49 AM, 14731 bytes, A       Adds the file HPNotify.exe"="1/16/2015 9:45 AM, 673968 bytes, A       Adds the file IeWatchDog.dll"="1/16/2015 9:45 AM, 20656 bytes, A       Adds the file install.data"="2/7/2015 12:38 PM, 76 bytes, A       Adds the file msvcp110.dll"="10/8/2014 8:19 AM, 535008 bytes, A       Adds the file msvcr110.dll"="10/8/2014 8:19 AM, 875472 bytes, A       Adds the file ProtectService.exe"="1/16/2015 9:45 AM, 158896 bytes, A       Adds the file searchProvider.xml"="2/7/2015 12:38 PM, 2550 bytes, A       Adds the file SupTab.dll"="1/16/2015 9:45 AM, 210096 bytes, A    Adds the folder C:\Program Files\XTab\skin       Adds the file about.png"="11/21/2014 8:44 AM, 4684 bytes, A       Adds the file about_bk.png"="11/21/2014 8:44 AM, 30581 bytes, A       Adds the file btn.png"="11/21/2014 8:44 AM, 2347 bytes, A       Adds the file btn_apply.png"="11/21/2014 8:44 AM, 6463 bytes, A       Adds the file close.png"="11/21/2014 8:44 AM, 3103 bytes, A       Adds the file conf.xml"="11/21/2014 8:44 AM, 8371 bytes, A       Adds the file conf_back.png"="11/21/2014 8:44 AM, 38792 bytes, A       Adds the file input_bk.png"="11/21/2014 8:44 AM, 2872 bytes, A       Adds the file logo.png"="11/21/2014 8:44 AM, 5781 bytes, A       Adds the file main.xml"="11/21/2014 8:44 AM, 4528 bytes, A       Adds the file radio_1.png"="11/21/2014 8:44 AM, 3293 bytes, A       Adds the file radio_2.png"="11/21/2014 8:44 AM, 3422 bytes, A       Adds the file rigth_arrow.png"="11/21/2014 8:44 AM, 2849 bytes, A       Adds the file settings.png"="11/21/2014 8:44 AM, 5124 bytes, A    Adds the folder C:\Program Files\XTab\skin\image    Adds the folder C:\Program Files\XTab\web       Adds the file data.html"="12/29/2014 9:18 AM, 20453 bytes, A       Adds the file indexIE.html"="12/31/2014 8:56 AM, 1874 bytes, A       Adds the file indexIE8.html"="12/29/2014 9:18 AM, 45446 bytes, A       Adds the file main.css"="12/29/2014 9:18 AM, 19504 bytes, A       Adds the file ver.txt"="12/29/2014 9:18 AM, 5 bytes, A    Adds the folder C:\Program Files\XTab\web\_locales    Adds the folder C:\Program Files\XTab\web\img       Adds the file arrow.png"="12/29/2014 9:18 AM, 259 bytes, A       Adds the file default_add_logo.png"="12/29/2014 9:18 AM, 1351 bytes, A       Adds the file default_add_logo_hover.png"="12/29/2014 9:18 AM, 1335 bytes, A       Adds the file default_logo.png"="12/29/2014 9:18 AM, 5143 bytes, A       Adds the file google_trends.png"="12/29/2014 9:18 AM, 7222 bytes, A       Adds the file googlelogo.png"="12/29/2014 9:18 AM, 7307 bytes, A       Adds the file googlelogo2.png"="12/29/2014 9:18 AM, 31930 bytes, A       Adds the file icon128.png"="12/29/2014 9:18 AM, 9526 bytes, A       Adds the file icon16.png"="12/29/2014 9:18 AM, 628 bytes, A       Adds the file icon48.png"="12/29/2014 9:18 AM, 3648 bytes, A       Adds the file loading.gif"="12/29/2014 9:18 AM, 5008 bytes, A       Adds the file logo32.ico"="12/29/2014 9:18 AM, 4286 bytes, A    Adds the folder C:\Program Files\XTab\web\img\weather       Adds the file 0.png"="12/29/2014 9:18 AM, 1080 bytes, A    Adds the folder C:\Program Files\XTab\web\js       Adds the file common.js"="12/31/2014 8:35 AM, 2502 bytes, A       Adds the file ga.js"="12/29/2014 9:18 AM, 39736 bytes, A       Adds the file ie8.js"="12/29/2014 9:18 AM, 156 bytes, A       Adds the file jquery.autocomplete.js"="12/29/2014 9:18 AM, 12099 bytes, A       Adds the file jquery-1.11.0.min.js"="12/29/2014 9:18 AM, 96381 bytes, A       Adds the file js.js"="12/29/2014 9:18 AM, 18213 bytes, A       Adds the file library.js"="12/29/2014 9:18 AM, 87473 bytes, A       Adds the file xagainit.js"="12/29/2014 9:18 AM, 3713 bytes, A       Adds the file xagainit2.0.js"="12/29/2014 9:18 AM, 3889 bytes, A       Adds the file xagainit-ie8.js"="12/29/2014 9:18 AM, 3890 bytes, A    Adds the folder C:\ProgramData\IHProtectUpDate\update    In the existing folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs       Alters the file Mozilla Firefox.lnk        11/9/2013 10:58 AM, 1307 bytes, A ==> 2/7/2015 12:37 PM, 1321 bytes, A    In the existing folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome       Alters the file Google Chrome.lnk        1/5/2015 12:51 PM, 2164 bytes, A ==> 2/7/2015 12:37 PM, 2364 bytes, A    Adds the folder C:\ProgramData\WindowsMangerProtect       Adds the file ProtectWindowsManager.exe"="2/7/2015 12:37 PM, 487056 bytes, A    Adds the folder C:\ProgramData\WindowsMangerProtect\update       Adds the file conf"="2/7/2015 12:38 PM, 1 bytes, A    Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835\extensions\faststartff@gmail.com    Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835\extensions\faststartff@gmail.com\chrome    Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835\extensions\faststartff@gmail.com\chrome\content    Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835\extensions\faststartff@gmail.com\chrome\locale    Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835\extensions\faststartff@gmail.com\chrome\skin    Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835\extensions\faststartff@gmail.com\defaults\preferences    Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835\extensions\faststartff@gmail.com\modules    In the existing folder C:\Users\{username}\Desktop       Alters the file iexplore.lnk        11/9/2013 11:26 AM, 1471 bytes, A ==> 2/7/2015 12:37 PM, 1671 bytes, A    In the existing folder C:\Users\Public\Desktop       Alters the file Google Chrome.lnk        1/5/2015 12:51 PM, 2129 bytes, A ==> 2/7/2015 12:37 PM, 2329 bytes, A       Alters the file Mozilla Firefox.lnk        11/9/2013 11:45 AM, 1109 bytes, A ==> 2/7/2015 12:37 PM, 1309 bytes, ARegistry details  ------------------------------------------    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{C007DADD-132A-624C-088E-59EE6CF0711F}]       "fd1"="REG_SZ", "07"       "fn1"="REG_SZ", "v6y-"       "id0"="REG_SZ", "07022015"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}]       "(Default)"="REG_SZ", "IETabPage Class"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\InprocServer32]       "(Default)"="REG_SZ", "C:\Program Files\XTab\SupTab.dll"       "ThreadingModel"="REG_SZ", "Apartment"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\Programmable]    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\TypeLib]       "(Default)"="REG_SZ", "{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\Version]       "(Default)"="REG_SZ", "1.0"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}]       "(Default)"="REG_SZ", "IIETabPage"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\ProxyStubClsid]       "(Default)"="REG_SZ", "{00020424-0000-0000-C000-000000000046}"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\ProxyStubClsid32]       "(Default)"="REG_SZ", "{00020424-0000-0000-C000-000000000046}"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\TypeLib]       "(Default)"="REG_SZ", "{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}"       "Version"="REG_SZ", "1.0"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0]       "(Default)"="REG_SZ", "SupTabLib"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0\0\win32]       "(Default)"="REG_SZ", "C:\Program Files\XTab\SupTab.dll"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0\FLAGS]       "(Default)"="REG_SZ", "0"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0\HELPDIR]       "(Default)"="REG_SZ", "C:\Program Files\XTab"    [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Google Chrome\shell\open\command]       "(Default)"="REG_SZ", "C:\Program Files\Google\Chrome\Application\chrome.exe" http://isearch.omiga-plus.com/"    [HKEY_LOCAL_MACHINE\SOFTWARE\IHProtect]       "ptid"="REG_SZ", "ild"    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN]       "Default_Page_URL"="REG_SZ","http://isearch.omiga-plus.com/"       "Default_Search_URL"="REG_SZ", "http://isearch.omiga-plus.com/web/&q={searchTerms}"       "Search Page"="REG_SZ", "http://isearch.omiga-plus.com/web/&q={searchTerms}"       "Start Page"="REG_SZ", "http://isearch.omiga-plus.com/"    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION]       "CrashReport.exe"="REG_DWORD", 7000    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]       "DefaultScope"="REG_SZ", "{33BB0A4E-99AF-4226-BDF6-49120163DE86}"    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]       "DisplayName"="REG_SZ", "omiga-plus"       "URL"="REG_SZ", "http://isearch.omiga-plus.com/web/&q={searchTerms}"    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}]    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions]       "faststartff@gmail.com"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835\extensions\faststartff@gmail.com"    [HKEY_LOCAL_MACHINE\SOFTWARE\omiga-plusSoftware\omiga-plushp]       "oem"="REG_SZ", "ild"       "Time"="REG_QWORD, ....    [HKEY_LOCAL_MACHINE\SOFTWARE\SupDp]       "dir"="REG_SZ", "C:\Program Files\XTab"    [HKEY_LOCAL_MACHINE\SOFTWARE\supTab]       "ptid"="REG_SZ", "ild"    [HKEY_LOCAL_MACHINE\SOFTWARE\supWindowsMangerProtect]    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\WindowsMangerProtect]       "EventMessageFile"="REG_EXPAND_SZ, "C:\ProgramData\WindowsMangerPro"       "TypesSupported"="REG_DWORD", 7    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\IHProtect Service]       "DisplayName"="REG_SZ", "IHProtect Service"       "ErrorControl"="REG_DWORD", 1       "ImagePath"="REG_EXPAND_SZ, "C:\Program Files\XTab\ProtectService.exe"       "ObjectName"="REG_SZ", "LocalSystem"       "Start"="REG_DWORD", 2       "Type"="REG_DWORD", 16    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WindowsMangerProtect]       "Description"="REG_SZ", "WindowsMangerProtect service"       "DisplayName"="REG_SZ", "WindowsMangerProtect Service"       "ErrorControl"="REG_DWORD", 1       "Group"="REG_SZ", "SchedulerGroup"       "ImagePath"="REG_EXPAND_SZ, "C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe -service"       "ObjectName"="REG_SZ", "LocalSystem"       "Start"="REG_DWORD", 2       "Type"="REG_DWORD", 16    [HKEY_CURRENT_USER\Software\1ClickDownload]       "LastInstall0"="REG_SZ", "30425802"       "LastInstall3"="REG_SZ", "30425802"       "LastInstallY"="REG_SZ", "30425802"       "UID"="REG_SZ", "363761965"    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]       "Default_Page_URL"="REG_SZ", "http://isearch.omiga-plus.com/"       "Start Page"="REG_SZ", "http://isearch.omiga-plus.com/"    [HKEY_CURRENT_USER\Software\Mozilla\Extends]       "appid"="REG_SZ", "faststartff@gmail.com"       "ptid"="REG_SZ", "ild"       "uid"="REG_SZ", "{unique computer identiifier}"
Excerpt of the Malwarebytes Anti-Malware log:

Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 2/7/2015Scan Time: 12:49:20 PMLogfile: mbamSupTab.txtAdministrator: YesVersion: 2.00.4.1028Malware Database: v2015.02.07.04Rootkit Database: v2015.02.03.01License: FreeMalware Protection: DisabledMalicious Website Protection: DisabledSelf-protection: DisabledOS: Windows 7 Service Pack 1CPU: x86File System: NTFSUser: MalwarebytesScan Type: Threat ScanResult: CompletedObjects Scanned: 290480Time Elapsed: 4 min, 17 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: DisabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 4PUP.Optional.WindowsProtectManger.A, C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe, 2316, Delete-on-Reboot, [2e72110a6b1fa98d4386491d1fe1d729]PUP.Optional.XTab.A, C:\Program Files\XTab\ProtectService.exe, 3808, Delete-on-Reboot, [762ad04b44468fa70fa4b5548082728e]PUP.Optional.XTab.A, C:\Program Files\XTab\CmdShell.exe, 3944, Delete-on-Reboot, [633d5cbf4248ae888dc7c9c1e41f7d83]PUP.Optional.XTab.A, C:\Program Files\XTab\HPNotify.exe, 3996, Delete-on-Reboot, [633d5cbf4248ae888dc7c9c1e41f7d83]Modules: 13Registry Keys: 18Registry Values: 3Registry Data: 8Folders: 64Files: 147Physical Sectors: 0(No malicious items detected)(end)
As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.
Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.