1 2 Previous Next 19 Replies Latest reply on Feb 25, 2016 5:53 AM by catdaddy

    yoursites123

    jonathanwalpole

      My internet explorer 11 on windows 7 has been infected with yoursites123.

      VirusScan Enterprise + Antispyware Enterprise 8.8 has not picked it up.

        • 1. Re: yoursites123
          Peter M

          Moved to Malware Discussion > Corporate User Assistance for hopefully fast response.

          ---

          Peter

          Moderator

          • 2. Re: yoursites123
            Peter M

            I'm not well-versed in removal of malware from machines using corporate / Enterprise products, but if this were my computer I would use MalwareBytes Free from the link below.

            (Note the instruction on how to keep it free of charge)

            Toronto ▪ Canada
            Volunteer Moderator - Consumer Products
            I CAN'T HELP PRIVATELY - PLEASE POST IN THE FORUMS
            Use Advanced Search To Find Answers

            Anti-Spyware/Malware/Hijacker Tools

            1 of 1 people found this helpful
            • 3. Re: yoursites123
              agvozd

              To remove Yoursites123 virus you need to delete SSFK.exe service first. You may google this issue and find some articles dedicated to this issue.

              • 4. Re: yoursites123
                catdaddy

                Yoursites123 is basically classified as a (PUP) Potentially Unwanted Program. Although it does resemble certain Characteristics/Traits of a virus. It usually is obtained by inadvertently downloading a program with it being bundled in it.

                 

                It does usually contain the (ssfk.exe) process as it contains 'Browser Hi-Jackers 'Delta Homes/My Search123/and multiple more. As Colleague Ex_Brit initially stated, we are not well-versed on how Corporate handles such. However I agree with his suggestion to run Malwarebytes (Free) as it has this infection in it's database.

                 

                I would add if I may, follow up with AdwCleaner which can be obtained from the Link below Ex_Brit's Signature.

                 

                (Note)  I would first of all run the 'McAfee Getsusp Tool' to add this detection to the McAfee Global Threat Intelligence Base. Add your Email Address under 'Preferences' before scanning.

                It also can be obtained from the same Link provided.

                 

                All the very Best,

                CD/Catdaddy

                Volunteer Community Moderator

                (Consumer Products)

                1 of 1 people found this helpful
                • 5. Re: yoursites123
                  jonathanwalpole

                  Getsusp results.jpg

                  I have carried out first stage and ran GetSusp.

                  Suspicious files WdMan.exe and ProtectService.exe

                  • 6. Re: yoursites123
                    catdaddy

                    As you can see you are infected by those Detections mentioned above. There is a removal Guide specifically for 'ProtectService.exe'. It recommends running Both of the Tools both Ex_Brit and I have recommended.

                     

                    Remove Protectservice.exe by XTab System (Removal Guide)

                     

                    Also actually McAfee has a Detection for (WdMan.exe)

                    McAfee-GW-EditionBehavesLike.Win32.AdwareAmonetize.fm

                     

                    All the Best,

                    CD

                    • 7. Re: yoursites123
                      jonathanwalpole

                      malwarebytes has removed as follows

                       

                       

                      Malwarebytes Anti-Malware
                      www.malwarebytes.org

                      Scan Date: 12/12/2015
                      Scan Time: 11:16
                      Logfile: malwarebytes removed 01.txt
                      Administrator: Yes

                      Version: 2.2.0.1024
                      Malware Database: v2015.12.12.02
                      Rootkit Database: v2015.12.07.01
                      License: Free
                      Malware Protection: Disabled
                      Malicious Website Protection: Disabled
                      Self-protection: Disabled

                      OS: Windows 7 Service Pack 1
                      CPU: x64
                      File System: NTFS
                      User: Margaret

                      Scan Type: Custom Scan
                      Result: Cancelled
                      Objects Scanned: 118874
                      Time Elapsed: 23 min, 19 sec

                      Memory: Enabled
                      Startup: Enabled
                      Filesystem: Enabled
                      Archives: Enabled
                      Rootkits: Disabled
                      Heuristics: Enabled
                      PUP: Enabled
                      PUM: Enabled

                      Processes: 2
                      PUP.Optional.ChinAd, C:\Program Files (x86)\SFK\SSFK.exe, 2344, , [3ff300a48a01cd69651f931ebb46d030]
                      PUP.Optional.XTab, C:\Program Files (x86)\XTab\ProtectService.exe, 5240, , [0f23a9fb96f5b482f5b0979b39c8f907]

                      Modules: 0
                      (No malicious items detected)

                      Registry Keys: 30
                      PUP.Optional.ChinAd, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SSFK, , [3ff300a48a01cd69651f931ebb46d030],
                      PUP.Optional.XTab, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\IHProtect Service, , [0f23a9fb96f5b482f5b0979b39c8f907],
                      PUP.Optional.SupTab, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}, , [3af8f8acd0bb46f0b4abe274f30f48b8],
                      PUP.Optional.SupTab, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}, , [3af8f8acd0bb46f0b4abe274f30f48b8],
                      PUP.Optional.SupTab, HKLM\SOFTWARE\CLASSES\TYPELIB\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}, , [3af8f8acd0bb46f0b4abe274f30f48b8],
                      PUP.Optional.SupTab, HKLM\SOFTWARE\CLASSES\INTERFACE\{917CAAE9-DD47-4025-936E-1414F07DF5B8}, , [3af8f8acd0bb46f0b4abe274f30f48b8],
                      PUP.Optional.SupTab, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{917CAAE9-DD47-4025-936E-1414F07DF5 B8}, , [3af8f8acd0bb46f0b4abe274f30f48b8],
                      PUP.Optional.SupTab, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{917CAAE9-DD47-4025-936E-1414F07DF5 B8}, , [3af8f8acd0bb46f0b4abe274f30f48b8],
                      PUP.Optional.SupTab, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D }, , [3af8f8acd0bb46f0b4abe274f30f48b8],
                      PUP.Optional.SupTab, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D }, , [3af8f8acd0bb46f0b4abe274f30f48b8],
                      PUP.Optional.SupTab, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}, , [3af8f8acd0bb46f0b4abe274f30f48b8],
                      PUP.Optional.SupTab, HKU\S-1-5-21-2533685313-553324556-177818244-1000\SOFTWARE\MICROSOFT\WINDOWS\CUR RENTVERSION\EXT\SETTINGS\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}, , [3af8f8acd0bb46f0b4abe274f30f48b8],
                      PUP.Optional.SupTab, HKU\S-1-5-21-2533685313-553324556-177818244-1000\SOFTWARE\MICROSOFT\WINDOWS\CUR RENTVERSION\EXT\STATS\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}, , [3af8f8acd0bb46f0b4abe274f30f48b8],
                      PUP.Optional.PriceFountain, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{b608cc98-54de-4775-96c9-097de398500c}, , [b181cfd52e5df14596223222bb47a759],
                      PUP.Optional.PriceFountain, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{B608CC98-54DE-4775-96C9-097DE398500C}, , [b181cfd52e5df14596223222bb47a759],
                      PUP.Optional.PriceFountain, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{B608CC98-54DE-4775-96C9-097DE398500C}, , [b181cfd52e5df14596223222bb47a759],
                      PUP.Optional.PriceFountain, HKU\S-1-5-21-2533685313-553324556-177818244-1000\SOFTWARE\MICROSOFT\WINDOWS\CUR RENTVERSION\EXT\SETTINGS\{B608CC98-54DE-4775-96C9-097DE398500C}, , [b181cfd52e5df14596223222bb47a759],
                      PUP.Optional.PriceFountain, HKU\S-1-5-21-2533685313-553324556-177818244-1000\SOFTWARE\MICROSOFT\WINDOWS\CUR RENTVERSION\EXT\STATS\{B608CC98-54DE-4775-96C9-097DE398500C}, , [b181cfd52e5df14596223222bb47a759],
                      PUP.Optional.MultiPlug, HKLM\SOFTWARE\CLASSES\TYPELIB\{E2343056-CC08-46AC-B898-BFC7ACF4E755}, , [d959c9db8dfece685b11f1689c66639d],
                      PUP.Optional.MultiPlug, HKLM\SOFTWARE\CLASSES\INTERFACE\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}, , [d959c9db8dfece685b11f1689c66639d],
                      PUP.Optional.MultiPlug, HKLM\SOFTWARE\CLASSES\INTERFACE\{9B41579A-1996-42F9-8F84-7B7786818CEF}, , [d959c9db8dfece685b11f1689c66639d],
                      PUP.Optional.MultiPlug, HKLM\SOFTWARE\CLASSES\INTERFACE\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}, , [d959c9db8dfece685b11f1689c66639d],
                      PUP.Optional.MultiPlug, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2 D0}, , [d959c9db8dfece685b11f1689c66639d],
                      PUP.Optional.MultiPlug, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{9B41579A-1996-42F9-8F84-7B7786818C EF}, , [d959c9db8dfece685b11f1689c66639d],
                      PUP.Optional.MultiPlug, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2 BC}, , [d959c9db8dfece685b11f1689c66639d],
                      PUP.Optional.MultiPlug, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2 D0}, , [d959c9db8dfece685b11f1689c66639d],
                      PUP.Optional.MultiPlug, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{9B41579A-1996-42F9-8F84-7B7786818C EF}, , [d959c9db8dfece685b11f1689c66639d],
                      PUP.Optional.MultiPlug, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2 BC}, , [d959c9db8dfece685b11f1689c66639d],
                      PUP.Optional.MultiPlug, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{E2343056-CC08-46AC-B898-BFC7ACF4E755 }, , [d959c9db8dfece685b11f1689c66639d],
                      PUP.Optional.MultiPlug, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{E2343056-CC08-46AC-B898-BFC7ACF4E755 }, , [d959c9db8dfece685b11f1689c66639d],

                      Registry Values: 0
                      (No malicious items detected)

                      Registry Data: 0
                      (No malicious items detected)

                      Folders: 0
                      (No malicious items detected)

                      Files: 6
                      PUP.Optional.ChinAd, C:\Program Files (x86)\SFK\SSFK.exe, , [3ff300a48a01cd69651f931ebb46d030],
                      PUP.Optional.XTab, C:\Program Files (x86)\XTab\ProtectService.exe, , [0f23a9fb96f5b482f5b0979b39c8f907],
                      PUP.Optional.SupTab, C:\Program Files (x86)\XTab\SupTab.dll, , [3af8f8acd0bb46f0b4abe274f30f48b8],
                      PUP.Optional.MultiPlug, C:\ProgramData\SalesCheccker\xvJE.tlb, , [d959c9db8dfece685b11f1689c66639d],
                      PUP.Optional.OpenCandy, C:\Users\Margaret\Downloads\FreeFileSync_7.2_Win_Setup.exe, , [3af8b6ee91fad3632667cdc763a1b64a],
                      PUP.Optional.OpenCandy, C:\$RECYCLE.BIN\S-1-5-21-2533685313-553324556-177818244-1000\$RM5KAB2.exe, , [6cc6e4c017748caa7419d3c115eff30d],

                      Physical Sectors: 0
                      (No malicious items detected)


                      (end)

                      • 8. Re: yoursites123
                        catdaddy

                        Then I would select 'Delete/Remove' and restart to complete the removal process. I would then run AdwCleaner to check as well....

                         

                        (PUP.Optional.ChinAd, C:\Program Files (x86)\SFK\SSFK.exe, 2344) Also as I mentioned earlier (Post#4) the 'SSFK.exe' PUP' was removed as well.

                        • 9. Re: yoursites123
                          Peter M

                          If you need that log analysed in detail, we don't do that here, you need:  Malwarebytes Community

                          1 2 Previous Next