What is SupTab?
The Malwarebytes research team has determined that SupTab is actually a very common mix of programs designed to hijack your browser(s) and stop you from changing the settings back.
These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. In this case the hijack was to isearch.omiga-plus.com. This one also displays advertisements.
Typically you will see a mix of detections: PUP.Optional.SupTab.A, PUP.Optional.OmigaPlus.A, PUP.Optional.WindowsProtectManger.A, PUP.Optional.XTab.A, PUP.Optional.IHProtect.A, PUP.Optional.FastStart.A and more.
How do I know if my computer is affected by SupTab?
You may see these browser add-ons:
and this icon in your taskbar:
How did SupTab get on my computer?
Browser hijackers use different methods for distributing themselves. This particular one was bundled with other software.
How do I remove SupTab?
Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.
- Please download Malwarebytes Anti-Malware to your desktop.
- Double-click mbam-setup-version.exe and follow the prompts to install the program.
- At the end, be sure a check-mark is placed next to the following:
- Enable free trial of Malwarebytes Anti-Malware Premium
- Launch Malwarebytes Anti-Malware
- Then click Finish.
- If an update is found, you will be prompted to download and install the latest version.
- Once the program has loaded, select Scan now. Or select the Threat Scan from the Scan menu.
- When the scan is complete , make sure that everything is set to "Quarantine", and click Apply Actions.
- Reboot your computer if prompted.
- If you are using Chrome and/or Firefox, this hijacker alters the shortcuts for Chrome, Firefox and Internet Explorer on your desktop, in the taskbar and in the Startmenu Programs. Read here how to clean your shortcuts.
- If you are using Chrome you may want to use the Reset all settings button after changing the shortcuts.
This will save you some time resetting the home-page and search settings.
We hope our application and this guide have helped you eradicate this hijacker.
As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the SupTab hijacker. It would have warned you before the rogue could install itself, giving you a chance to stop it before it became too late.
Technical details for experts
Signs in a HijackThis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://isearch.omiga-plus.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://isearch.omiga-plus.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://isearch.omiga-plus.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://isearch.omiga-plus.com/web/&q={searchTerms}
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://isearch.omiga-plus.com/web/&q={searchTerms}
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://isearch.omiga-plus.com/
O2 - BHO: IETabPage Class - {3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C} - C:\Program Files\XTab\SupTab.dll
O23 - Service: IHProtect Service - XTab system - C:\Program Files\XTab\ProtectService.exe
O23 - Service: WindowsMangerProtect Service (WindowsMangerProtect) - SysTool PasSame LIMITED - C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe
You may see these entries in a FRST log:
() C:\Users\{username}\AppData\Local\Temp\Wtmp304868\tmp\CrashReport_v6.2.7601.775.exe
(SysTool PasSame LIMITED) C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe
(XTab system) C:\Program Files\XTab\ProtectService.exe
(SearchProtect) C:\Program Files\XTab\CmdShell.exe
(XTab system) C:\Program Files\XTab\HPNotify.exe
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://isearch.omiga-plus.com/
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://isearch.omiga-plus.com/web/q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://isearch.omiga-plus.com/
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://isearch.omiga-plus.com/web/q={searchTerms}
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://isearch.omiga-plus.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://isearch.omiga-plus.com/
SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://isearch.omiga-plus.com/web/q={searchTerms}
SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://isearch.omiga-plus.com/web/&q={searchTerms}
SearchScopes: HKCU -> DefaultScope {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = http://isearch.omiga-plus.com/web/&q={searchTerms}
SearchScopes: HKCU -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://isearch.omiga-plus.com/web/&q={searchTerms}
SearchScopes: HKCU -> {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = http://isearch.omiga-plus.com/web/&q={searchTerms}
SearchScopes: HKCU -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://isearch.omiga-plus.com/web/&q={searchTerms}
SearchScopes: HKCU -> {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL = http://isearch.omiga-plus.com/web/&q={searchTerms}
BHO: IETabPage Class -> {3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C} -> C:\Program Files\XTab\SupTab.dll (Thinknice Co. Limited)
FF NewTab: hxxp://isearch.omiga-plus.com/newtab/
FF DefaultSearchEngine: omiga-plus
FF SelectedSearchEngine: omiga-plus
FF Homepage: hxxp://isearch.omiga-plus.com/
FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835\extensions\74979c91-c812-44d6-90e1-1ff0491351e5@e3e0c78c-dd15-4ac4-b6a0-08cad184bd23.com [Not Found]
FF user.js: detected! => C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835\user.js
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\omiga-plus.xml
FF Extension: Fast Start - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835\Extensions\[email protected] [2015-02-07]
FF HKLM\...\Firefox\Extensions: [[email protected]] - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835\extensions\[email protected]
StartMenuInternet: Google Chrome - C:\Program Files\Google\Chrome\Application\chrome.exe http://isearch.omiga-plus.com/
StartMenuInternet: (HKLM) OperaStable - C:\Program Files\Opera\Launcher.exe http://isearch.omiga-plus.com/
R2 IHProtect Service; C:\Program Files\XTab\ProtectService.exe [158896 2015-01-16] (XTab system)
R2 WindowsMangerProtect; C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe [487056 2015-02-07] (SysTool PasSame LIMITED)
() C:\ProgramData\IHProtectUpDate
() C:\Program Files\XTab
() C:\ProgramData\WindowsMangerProtect
() C:\Users\Public\Desktop\Google Chrome.lnk
() C:\Users\{username}\Desktop\iexplore.lnk
() C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
() C:\Users\Public\Desktop\Mozilla Firefox.lnk
() C:\Program Files\Mozilla Firefox
() C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
C:\Users\{username}\AppData\Local\Temp\Runner2.exe
C:\Users\{username}\AppData\Local\Temp\Runner4.exe
C:\Users\{username}\AppData\Local\Temp\smarter.exe
Alterations made by the installer:
File system details
---------------------------------------------
In the existing folder C:\Program Files\Mozilla Firefox\browser\searchplugins
Adds the file omiga-plus.xml"="2/7/2015 12:37 PM, 569 bytes, A
Adds the folder C:\Program Files\XTab
Adds the file BrowerWatchCH.dll"="1/16/2015 9:45 AM, 23728 bytes, A
Adds the file BrowerWatchFF.dll"="1/16/2015 9:45 AM, 23728 bytes, A
Adds the file BrowserAction.dll"="1/15/2015 3:27 AM, 1720320 bytes, A
Adds the file CmdShell.exe"="1/16/2015 9:45 AM, 48304 bytes, A
Adds the file conf"="2/7/2015 12:39 PM, 486 bytes, A
Adds the file ffsearch_toolbar!1.0.0.1025.xpi"="12/31/2014 4:49 AM, 14731 bytes, A
Adds the file HPNotify.exe"="1/16/2015 9:45 AM, 673968 bytes, A
Adds the file IeWatchDog.dll"="1/16/2015 9:45 AM, 20656 bytes, A
Adds the file install.data"="2/7/2015 12:38 PM, 76 bytes, A
Adds the file msvcp110.dll"="10/8/2014 8:19 AM, 535008 bytes, A
Adds the file msvcr110.dll"="10/8/2014 8:19 AM, 875472 bytes, A
Adds the file ProtectService.exe"="1/16/2015 9:45 AM, 158896 bytes, A
Adds the file searchProvider.xml"="2/7/2015 12:38 PM, 2550 bytes, A
Adds the file SupTab.dll"="1/16/2015 9:45 AM, 210096 bytes, A
Adds the folder C:\Program Files\XTab\skin
Adds the file about.png"="11/21/2014 8:44 AM, 4684 bytes, A
Adds the file about_bk.png"="11/21/2014 8:44 AM, 30581 bytes, A
Adds the file btn.png"="11/21/2014 8:44 AM, 2347 bytes, A
Adds the file btn_apply.png"="11/21/2014 8:44 AM, 6463 bytes, A
Adds the file close.png"="11/21/2014 8:44 AM, 3103 bytes, A
Adds the file conf.xml"="11/21/2014 8:44 AM, 8371 bytes, A
Adds the file conf_back.png"="11/21/2014 8:44 AM, 38792 bytes, A
Adds the file input_bk.png"="11/21/2014 8:44 AM, 2872 bytes, A
Adds the file logo.png"="11/21/2014 8:44 AM, 5781 bytes, A
Adds the file main.xml"="11/21/2014 8:44 AM, 4528 bytes, A
Adds the file radio_1.png"="11/21/2014 8:44 AM, 3293 bytes, A
Adds the file radio_2.png"="11/21/2014 8:44 AM, 3422 bytes, A
Adds the file rigth_arrow.png"="11/21/2014 8:44 AM, 2849 bytes, A
Adds the file settings.png"="11/21/2014 8:44 AM, 5124 bytes, A
Adds the folder C:\Program Files\XTab\skin\image
Adds the folder C:\Program Files\XTab\web
Adds the file data.html"="12/29/2014 9:18 AM, 20453 bytes, A
Adds the file indexIE.html"="12/31/2014 8:56 AM, 1874 bytes, A
Adds the file indexIE8.html"="12/29/2014 9:18 AM, 45446 bytes, A
Adds the file main.css"="12/29/2014 9:18 AM, 19504 bytes, A
Adds the file ver.txt"="12/29/2014 9:18 AM, 5 bytes, A
Adds the folder C:\Program Files\XTab\web\_locales
Adds the folder C:\Program Files\XTab\web\img
Adds the file arrow.png"="12/29/2014 9:18 AM, 259 bytes, A
Adds the file default_add_logo.png"="12/29/2014 9:18 AM, 1351 bytes, A
Adds the file default_add_logo_hover.png"="12/29/2014 9:18 AM, 1335 bytes, A
Adds the file default_logo.png"="12/29/2014 9:18 AM, 5143 bytes, A
Adds the file google_trends.png"="12/29/2014 9:18 AM, 7222 bytes, A
Adds the file googlelogo.png"="12/29/2014 9:18 AM, 7307 bytes, A
Adds the file googlelogo2.png"="12/29/2014 9:18 AM, 31930 bytes, A
Adds the file icon128.png"="12/29/2014 9:18 AM, 9526 bytes, A
Adds the file icon16.png"="12/29/2014 9:18 AM, 628 bytes, A
Adds the file icon48.png"="12/29/2014 9:18 AM, 3648 bytes, A
Adds the file loading.gif"="12/29/2014 9:18 AM, 5008 bytes, A
Adds the file logo32.ico"="12/29/2014 9:18 AM, 4286 bytes, A
Adds the folder C:\Program Files\XTab\web\img\weather
Adds the file 0.png"="12/29/2014 9:18 AM, 1080 bytes, A
Adds the folder C:\Program Files\XTab\web\js
Adds the file common.js"="12/31/2014 8:35 AM, 2502 bytes, A
Adds the file ga.js"="12/29/2014 9:18 AM, 39736 bytes, A
Adds the file ie8.js"="12/29/2014 9:18 AM, 156 bytes, A
Adds the file jquery.autocomplete.js"="12/29/2014 9:18 AM, 12099 bytes, A
Adds the file jquery-1.11.0.min.js"="12/29/2014 9:18 AM, 96381 bytes, A
Adds the file js.js"="12/29/2014 9:18 AM, 18213 bytes, A
Adds the file library.js"="12/29/2014 9:18 AM, 87473 bytes, A
Adds the file xagainit.js"="12/29/2014 9:18 AM, 3713 bytes, A
Adds the file xagainit2.0.js"="12/29/2014 9:18 AM, 3889 bytes, A
Adds the file xagainit-ie8.js"="12/29/2014 9:18 AM, 3890 bytes, A
Adds the folder C:\ProgramData\IHProtectUpDate\update
In the existing folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs
Alters the file Mozilla Firefox.lnk
11/9/2013 10:58 AM, 1307 bytes, A ==> 2/7/2015 12:37 PM, 1321 bytes, A
In the existing folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
Alters the file Google Chrome.lnk
1/5/2015 12:51 PM, 2164 bytes, A ==> 2/7/2015 12:37 PM, 2364 bytes, A
Adds the folder C:\ProgramData\WindowsMangerProtect
Adds the file ProtectWindowsManager.exe"="2/7/2015 12:37 PM, 487056 bytes, A
Adds the folder C:\ProgramData\WindowsMangerProtect\update
Adds the file conf"="2/7/2015 12:38 PM, 1 bytes, A
Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835\extensions\[email protected]
Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835\extensions\[email protected]\chrome
Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835\extensions\[email protected]\chrome\content
Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835\extensions\[email protected]\chrome\locale
Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835\extensions\[email protected]\chrome\skin
Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835\extensions\[email protected]\defaults\preferences
Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835\extensions\[email protected]\modules
In the existing folder C:\Users\{username}\Desktop
Alters the file iexplore.lnk
11/9/2013 11:26 AM, 1471 bytes, A ==> 2/7/2015 12:37 PM, 1671 bytes, A
In the existing folder C:\Users\Public\Desktop
Alters the file Google Chrome.lnk
1/5/2015 12:51 PM, 2129 bytes, A ==> 2/7/2015 12:37 PM, 2329 bytes, A
Alters the file Mozilla Firefox.lnk
11/9/2013 11:45 AM, 1109 bytes, A ==> 2/7/2015 12:37 PM, 1309 bytes, A
Registry details
------------------------------------------
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{C007DADD-132A-624C-088E-59EE6CF0711F}]
"fd1"="REG_SZ", "07"
"fn1"="REG_SZ", "v6y-"
"id0"="REG_SZ", "07022015"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}]
"(Default)"="REG_SZ", "IETabPage Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\InprocServer32]
"(Default)"="REG_SZ", "C:\Program Files\XTab\SupTab.dll"
"ThreadingModel"="REG_SZ", "Apartment"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\Programmable]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\TypeLib]
"(Default)"="REG_SZ", "{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\Version]
"(Default)"="REG_SZ", "1.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}]
"(Default)"="REG_SZ", "IIETabPage"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\ProxyStubClsid]
"(Default)"="REG_SZ", "{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\ProxyStubClsid32]
"(Default)"="REG_SZ", "{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\TypeLib]
"(Default)"="REG_SZ", "{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}"
"Version"="REG_SZ", "1.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0]
"(Default)"="REG_SZ", "SupTabLib"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0\0\win32]
"(Default)"="REG_SZ", "C:\Program Files\XTab\SupTab.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0\FLAGS]
"(Default)"="REG_SZ", "0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0\HELPDIR]
"(Default)"="REG_SZ", "C:\Program Files\XTab"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Google Chrome\shell\open\command]
"(Default)"="REG_SZ", "C:\Program Files\Google\Chrome\Application\chrome.exe" http://isearch.omiga-plus.com/"
[HKEY_LOCAL_MACHINE\SOFTWARE\IHProtect]
"ptid"="REG_SZ", "ild"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN]
"Default_Page_URL"="REG_SZ","http://isearch.omiga-plus.com/"
"Default_Search_URL"="REG_SZ", "http://isearch.omiga-plus.com/web/&q={searchTerms}"
"Search Page"="REG_SZ", "http://isearch.omiga-plus.com/web/&q={searchTerms}"
"Start Page"="REG_SZ", "http://isearch.omiga-plus.com/"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION]
"CrashReport.exe"="REG_DWORD", 7000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="REG_SZ", "{33BB0A4E-99AF-4226-BDF6-49120163DE86}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"DisplayName"="REG_SZ", "omiga-plus"
"URL"="REG_SZ", "http://isearch.omiga-plus.com/web/&q={searchTerms}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions]
"[email protected]"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835\extensions\[email protected]"
[HKEY_LOCAL_MACHINE\SOFTWARE\omiga-plusSoftware\omiga-plushp]
"oem"="REG_SZ", "ild"
"Time"="REG_QWORD, ....
[HKEY_LOCAL_MACHINE\SOFTWARE\SupDp]
"dir"="REG_SZ", "C:\Program Files\XTab"
[HKEY_LOCAL_MACHINE\SOFTWARE\supTab]
"ptid"="REG_SZ", "ild"
[HKEY_LOCAL_MACHINE\SOFTWARE\supWindowsMangerProtect]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\WindowsMangerProtect]
"EventMessageFile"="REG_EXPAND_SZ, "C:\ProgramData\WindowsMangerPro"
"TypesSupported"="REG_DWORD", 7
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\IHProtect Service]
"DisplayName"="REG_SZ", "IHProtect Service"
"ErrorControl"="REG_DWORD", 1
"ImagePath"="REG_EXPAND_SZ, "C:\Program Files\XTab\ProtectService.exe"
"ObjectName"="REG_SZ", "LocalSystem"
"Start"="REG_DWORD", 2
"Type"="REG_DWORD", 16
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WindowsMangerProtect]
"Description"="REG_SZ", "WindowsMangerProtect service"
"DisplayName"="REG_SZ", "WindowsMangerProtect Service"
"ErrorControl"="REG_DWORD", 1
"Group"="REG_SZ", "SchedulerGroup"
"ImagePath"="REG_EXPAND_SZ, "C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe -service"
"ObjectName"="REG_SZ", "LocalSystem"
"Start"="REG_DWORD", 2
"Type"="REG_DWORD", 16
[HKEY_CURRENT_USER\Software\1ClickDownload]
"LastInstall0"="REG_SZ", "30425802"
"LastInstall3"="REG_SZ", "30425802"
"LastInstallY"="REG_SZ", "30425802"
"UID"="REG_SZ", "363761965"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL"="REG_SZ", "http://isearch.omiga-plus.com/"
"Start Page"="REG_SZ", "http://isearch.omiga-plus.com/"
[HKEY_CURRENT_USER\Software\Mozilla\Extends]
"appid"="REG_SZ", "[email protected]"
"ptid"="REG_SZ", "ild"
"uid"="REG_SZ", "{unique computer identiifier}"
Excerpt of the Malwarebytes Anti-Malware log:Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 2/7/2015 Scan Time: 12:49:20 PM Logfile: mbamSupTab.txt Administrator: Yes Version: 2.00.4.1028 Malware Database: v2015.02.07.04 Rootkit Database: v2015.02.03.01 License: Free Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Disabled OS: Windows 7 Service Pack 1 CPU: x86 File System: NTFS User: Malwarebytes Scan Type: Threat Scan Result: Completed Objects Scanned: 290480 Time Elapsed: 4 min, 17 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 4 PUP.Optional.WindowsProtectManger.A, C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe, 2316, Delete-on-Reboot, [2e72110a6b1fa98d4386491d1fe1d729] PUP.Optional.XTab.A, C:\Program Files\XTab\ProtectService.exe, 3808, Delete-on-Reboot, [762ad04b44468fa70fa4b5548082728e] PUP.Optional.XTab.A, C:\Program Files\XTab\CmdShell.exe, 3944, Delete-on-Reboot, [633d5cbf4248ae888dc7c9c1e41f7d83] PUP.Optional.XTab.A, C:\Program Files\XTab\HPNotify.exe, 3996, Delete-on-Reboot, [633d5cbf4248ae888dc7c9c1e41f7d83] Modules: 13 Registry Keys: 18 Registry Values: 3 Registry Data: 8 Folders: 64 Files: 147 Physical Sectors: 0 (No malicious items detected) (end)As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention
Back to top
Sign In
Create Account
