Jump to content

Removal instructions for Websteroids


Recommended Posts

  • Staff

What is Websteroids?

The Malwarebytes research team has determined that Websteroids is adware. These adware applications display advertisements not originating from the sites you are browsing.

How do I know if my computer is affected by Websteroids?

You may see this entry in your list of installed programs:

warning4.png

and these warnings during install:

main.png

warning1.png

How did Websteroids get on my computer?

Adware applications use different methods for distributing themselves. This particular one was bundled with other software.

How do I remove Websteroids?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.

  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-version.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to the following:
    • Enable free trial of Malwarebytes Anti-Malware Premium
    • Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • If an update is found, you will be prompted to download and install the latest version.
  • Once the program has loaded, select Scan now. Or select the Threat Scan from the Scan menu.
  • When the scan is complete , make sure that everything is set to "Quarantine", and click Apply Actions.
  • Reboot your computer if prompted.
Is there anything else I need to do to get rid of Websteroids?
  • No, Malwarebytes' Anti-Malware removes Websteroids completely.
How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this hijacker.

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Websteroids adware. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late.

protection1.png

Technical details for experts

You will see these signs in a HijackThis log:

O23 - Service: Websteroids - Creative Island Media, LLC - C:\ProgramData\Websteroids\WebsteroidsService.exe
You may see these signs in FRST logs:

 (Creative Island Media, LLC) C:\ProgramData\Websteroids\WebsteroidsService.exe R2 Websteroids; C:\ProgramData\Websteroids\WebsteroidsService.exe [2320248 2015-08-10] (Creative Island Media, LLC) C:\ProgramData\Websteroids C:\Users\{username}\AppData\Local\WebsteroidsWebsteroids (HKLM-x32\...\Websteroids) (Version: 2.7.35 - Creative Island Media, LLC) <==== ATTENTION
Alterations made by the installer:

File system details [View: All details] (Selection)---------------------------------------------------    Adds the folder C:\ProgramData\Websteroids       Adds the file app.dat"="10/08/2015 11:06, 751981 bytes, A       Adds the file data.dat"="10/08/2015 11:06, 2048 bytes, A       Adds the file info.dat"="10/08/2015 11:06, 64 bytes, A       Adds the file Uninstall.exe"="29/08/2014 14:36, 523128 bytes, A       Adds the file Websteroids.dll"="10/08/2015 11:06, 1186168 bytes, A       Adds the file Websteroids.exe"="10/08/2015 11:06, 50040 bytes, A       Adds the file Websteroids.exe.config"="10/08/2015 11:06, 190 bytes, A       Adds the file Websteroids.ico"="19/07/2013 21:20, 115421 bytes, A       Adds the file WebsteroidsService.exe"="10/08/2015 11:06, 2320248 bytes, A       Adds the file WebsteroidsService.exe.config"="10/08/2015 11:06, 189 bytes, A    Adds the folder C:\Users\{username}\AppData\Local\WebsteroidsRegistry details [View: All details] (Selection)------------------------------------------------    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{051E9166-B275-4683-907B-372FAE22BC7C}]       "ad"="REG_SZ", "websteroidsapp.com"       "id"="REG_SZ", "9945901608b74aa89f2de85da16678c9"       "ip"="REG_SZ", "334"       "ns"="REG_SZ", "WBST"       "p"="REG_SZ", "334"       "v"="REG_SZ", "2.7.35"       "vp"="REG_SZ", "2.7.35334"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C4EFBD5-1ADF-41E6-BE26-AF44326E30E4}]       "(Default)"="REG_DWORD", 1       "v"="REG_DWORD", 1       "vs"="REG_SZ", "1"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}]       "id"="REG_SZ", "9945901608b74aa89f2de85da16678c9"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{051E9166-B275-4683-907B-372FAE22BC7C}]       "ad"="REG_SZ", "websteroidsapp.com"       "id"="REG_SZ", "9945901608b74aa89f2de85da16678c9"       "ip"="REG_SZ", "334"       "ns"="REG_SZ", "WBST"       "p"="REG_SZ", "334"       "v"="REG_SZ", "2.7.35"       "vp"="REG_SZ", "2.7.35334"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9C4EFBD5-1ADF-41E6-BE26-AF44326E30E4}]       "(Default)"="REG_DWORD", 1       "v"="REG_DWORD", 1       "vs"="REG_SZ", "1"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ac7a636f-dd72-c639-4966-912b4ffda845}]       "id"="REG_SZ", "9945901608b74aa89f2de85da16678c9"       "p"="REG_SZ", "334"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c05d0563-63b8-c136-79b8-1e18c687e1a4}]       "ik"="REG_SZ", "{9e5986b6-2d18-ed47-a736-1e32683f21de}"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}]       "id"="REG_SZ", "9945901608b74aa89f2de85da16678c9"    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\WebsteroidsService_RASAPI32]       "ConsoleTracingMask"="REG_DWORD", -65536       "EnableConsoleTracing"="REG_DWORD", 0       "EnableFileTracing"="REG_DWORD", 0       "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing"       "FileTracingMask"="REG_DWORD", -65536       "MaxFileSize"="REG_DWORD", 1048576    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\WebsteroidsService_RASMANCS]       "ConsoleTracingMask"="REG_DWORD", -65536       "EnableConsoleTracing"="REG_DWORD", 0       "EnableFileTracing"="REG_DWORD", 0       "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing"       "FileTracingMask"="REG_DWORD", -65536       "MaxFileSize"="REG_DWORD", 1048576    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Websteroids]       "DisplayIcon"="REG_SZ", "C:\ProgramData\Websteroids\Websteroids.ico"       "DisplayName"="REG_SZ", "Websteroids"       "DisplayVersion"="REG_SZ", "2.7.35"       "EstimatedSize"="REG_DWORD", 3624       "HelpLink"="REG_SZ", "http://www.websteroidsapp.com/about.html"       "InstallDate"="REG_SZ", "20150810"       "Publisher"="REG_SZ", "Creative Island Media, LLC"       "UninstallString"="REG_SZ", "C:\ProgramData\Websteroids\uninstall.exe /kb=y /ic=0"    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Websteroids]       "DependOnService"="REG_MULTI_SZ, "Winmgmt CryptSvc "       "DisplayName"="REG_SZ", "Websteroids"       "ErrorControl"="REG_DWORD", 1       "FailureActions"="REG_BINARY, <.....................       "ImagePath"="REG_EXPAND_SZ, ""C:\ProgramData\Websteroids\WebsteroidsService.exe""       "ObjectName"="REG_SZ", "LocalSystem"       "Start"="REG_DWORD", 2       "Type"="REG_DWORD", 16       "WOW64"="REG_DWORD", 1    [HKEY_CURRENT_USER\Software\AppDataLow\Software\DynConIE]       "id"="REG_SZ", "9945901608b74aa89f2de85da16678c9"
Malwarebytes Anti-Malware log:

Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 10/08/2015Scan Time: 11:15Logfile: mbamWebsteroids.txtAdministrator: YesVersion: 2.1.8.1057Malware Database: v2015.08.10.01Rootkit Database: v2015.08.06.01License: PremiumMalware Protection: DisabledMalicious Website Protection: EnabledSelf-protection: DisabledOS: Windows 7 Service Pack 1CPU: x64File System: NTFSUser: {username}Scan Type: Threat ScanResult: CompletedObjects Scanned: 329726Time Elapsed: 4 min, 2 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 1PUP.Optional.Websteroids.A, C:\ProgramData\Websteroids\WebsteroidsService.exe, 2900, Delete-on-Reboot, [042552b58dfee353e4954bdc976a6799]Modules: 0(No malicious items detected)Registry Keys: 9PUP.Optional.Websteroids.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\Websteroids, Quarantined, [042552b58dfee353e4954bdc976a6799], PUP.Optional.WebSteroids.A, HKLM\SOFTWARE\CLASSES\CLSID\{051E9166-B275-4683-907B-372FAE22BC7C}, Quarantined, [df4a27e0018ae74ff4bc514630d2ba46], PUP.Optional.WebSteroids.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{051E9166-B275-4683-907B-372FAE22BC7C}, Quarantined, [df4a27e0018ae74ff4bc514630d2ba46], PUP.Optional.WebSteroids.A, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{051E9166-B275-4683-907B-372FAE22BC7C}, Quarantined, [df4a27e0018ae74ff4bc514630d2ba46], PUP.Optional.DynConIE.A, HKLM\SOFTWARE\CLASSES\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}, Quarantined, [d851b1564e3d92a4325c6e2900025ca4], PUP.Optional.DynConIE.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}, Quarantined, [d851b1564e3d92a4325c6e2900025ca4], PUP.Optional.DynConIE.A, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}, Quarantined, [d851b1564e3d92a4325c6e2900025ca4], PUP.Optional.MultiIE.A, HKCU\SOFTWARE\APPDATALOW\SOFTWARE\DynConIE, Quarantined, [092039ce2f5cf14508756f1d7a8a53ad], PUP.Optional.Websteroids.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Websteroids, Quarantined, [d6534cbb8605af876bc761ad0df641bf], Registry Values: 0(No malicious items detected)Registry Data: 0(No malicious items detected)Folders: 4PUP.Optional.Websteroids.A, C:\Users\{username}\AppData\Local\Websteroids, Quarantined, [bc6d2ed9523990a6bcf041a446bc8b75], PUP.Optional.Websteroids.A, C:\ProgramData\Websteroids, Delete-on-Reboot, [d6534cbb8605af876bc761ad0df641bf], PUP.Optional.Websteroids.A, C:\ProgramData\Websteroids\up, Quarantined, [d6534cbb8605af876bc761ad0df641bf], PUP.Optional.Websteroids.A, C:\ProgramData\Websteroids\up\2.7.41, Quarantined, [d6534cbb8605af876bc761ad0df641bf], Files: 16PUP.Optional.Websteroids.A, C:\ProgramData\Websteroids\WebsteroidsService.exe, Delete-on-Reboot, [042552b58dfee353e4954bdc976a6799], PUP.Optional.Websteroids.A, C:\ProgramData\Websteroids\Websteroids.exe, Quarantined, [1514020526655cda50298b9c50b10000], PUP.Optional.Websteroids.A, C:\ProgramData\Websteroids\Websteroids64.exe, Quarantined, [5bced235c0cb82b4463353d4e71ae917], PUP.Optional.Websteroids.A, C:\ProgramData\Websteroids\up\2.7.41\update.exe, Quarantined, [83a629de66252b0b7bfeda4d6b967c84], PUP.Optional.Blasteroids.A, C:\Users\{username}\Desktop\Setup.exe, Quarantined, [e247e0274a410432a2ca9ea09f6155ab], PUP.Optional.Websteroids.A, C:\ProgramData\Websteroids\app.dat, Quarantined, [d6534cbb8605af876bc761ad0df641bf], PUP.Optional.Websteroids.A, C:\ProgramData\Websteroids\data.dat, Quarantined, [d6534cbb8605af876bc761ad0df641bf], PUP.Optional.Websteroids.A, C:\ProgramData\Websteroids\info.dat, Delete-on-Reboot, [d6534cbb8605af876bc761ad0df641bf], PUP.Optional.Websteroids.A, C:\ProgramData\Websteroids\Uninstall.exe, Quarantined, [d6534cbb8605af876bc761ad0df641bf], PUP.Optional.Websteroids.A, C:\ProgramData\Websteroids\Websteroids.dll, Quarantined, [d6534cbb8605af876bc761ad0df641bf], PUP.Optional.Websteroids.A, C:\ProgramData\Websteroids\Websteroids.exe.config, Quarantined, [d6534cbb8605af876bc761ad0df641bf], PUP.Optional.Websteroids.A, C:\ProgramData\Websteroids\Websteroids.ico, Quarantined, [d6534cbb8605af876bc761ad0df641bf], PUP.Optional.Websteroids.A, C:\ProgramData\Websteroids\Websteroids64.dll, Quarantined, [d6534cbb8605af876bc761ad0df641bf], PUP.Optional.Websteroids.A, C:\ProgramData\Websteroids\Websteroids64.exe.config, Quarantined, [d6534cbb8605af876bc761ad0df641bf], PUP.Optional.Websteroids.A, C:\ProgramData\Websteroids\WebsteroidsService.exe.config, Quarantined, [d6534cbb8605af876bc761ad0df641bf], PUP.Optional.Websteroids.A, C:\ProgramData\Websteroids\up\2.7.41\update.exe.config, Quarantined, [d6534cbb8605af876bc761ad0df641bf], Physical Sectors: 0(No malicious items detected)(end)
As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.
Link to post
Share on other sites
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.